Four Chrome Zero Days
Lookout Coverage and Recommendation for Admins
To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:
- Enable the Application Vulnerability policy, which will detect when a vulnerable app version is on the device. Since there are known exploits, we suggest you set the severity to high and block user access to work data until they update the app.
- Lookout published coverage for CVE-2024-4671 on May 17th as MultiApp-2024-4671. Any device with vulnerable versions of Chrome (at or below 124.0.6367.170) will receive an alert if detected after that date. We will add MS Edge (at or below 124.0.2478.105) coverage as it becomes available on the Play Store.
- The coverage for CVE-2024-4761, CVE-2024-4947, CVE-2024-5157, CVE-2024-5158, CVE-2024-5159, CVE-2024-5160 was released on May 24th as MultiApp-MultiCVE-4761-5160. This coverage will alert devices with vulnerable versions of Chrome (at or below 125.0.6422.70). Edge coverage will be added to this once patched version is available in play store.
- The coverage for CVE-2024-5274 will be released soon once a patched version becomes available in the play store.
- Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities in order to phish credentials or deliver malicious apps to the device.
Overview
Google has recently disclosed a handful of new vulnerabilities in its Chrome browser as well as Chromium, which is the codebase that also supports Edge. Within the full list are eight mobile-specific vulnerabilities which include CVE-2024-4671, CVE-2024-4761, CVE-2024-4947, CVE-2024-5157, CVE-2024-5158, CVE-2024-5159, CVE-2024-5160, and CVE-2024-5274. Within that list, 4947, 4671, 4761, and 5274 are all zero-day vulnerabilities, which makes it critically important to patch as soon as possible.
These vulnerabilities all exist in various components including the V8 JavaScript engine that powers Chromium and any browser it’s built on, Visuals, which handles rendering and display of images in web browsers, Dawn, which is a WebGPU component that enables webpages to utilize a device’s GPU, and more. Successful exploitation of many of these vulnerabilities could grant an attacker access to any data that Chrome has access to or allow them to remotely execute code on the vulnerable device.
At the time of writing, four of these vulnerabilities (4761, 4671, 4947, and 5274) have been assigned CVSS scores of 8.8 with known exploits in the wild. They have also been flagged by CISA, which is requiring a patch date of June 3rd, 2024 for 4761 and 4671 and June 10th, 2024 for 4947.
Lookout Analysis
The most likely way for an attacker to exploit this vulnerability would be to send a maliciously crafted webpage, which makes sense since the vulnerability exists in the device’s web browser. Since this needs to be delivered to mobile device users, the attacker would send a message over SMS, email, a third-party messaging platform, or any mobile app that has a messaging feature. That message would contain a link to the malicious webpage, and with some simple social engineering the attacker could convince the victim to tap the link and kick off the exploit.
A successful exploit of one of these vulnerabilities could grant the attacker access to any data that the web browser app itself has access to. This could include permission-based data such as location, web browsing history, personal data, and sound recordings. In addition, the attacker could use these vulnerabilities to deliver phishing sites or malware to the vulnerabile device.
As attackers modernize their tactics, exploiting widely-used vulnerable apps like Chrome by simply sending the vulnerable device a malicious web page is a quick way for them to be able to compromise a mobile device. This can be a critical vulnerability in today’s enterprise security posture, which needs to take mobile devices into account as employees access sensitive cloud data from their smartphones and tablets more frequently than they do from desktops and laptops.
Authors
Lookout Mobile Endpoint Security
Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.
Advanced mobile Endpoint Detection & Response powered by data from 185M+ apps and 200M+ devices on iOS, Android, ChromeOS.