April 24, 2024 at 09:15AM
Google released Chrome 124 update addressing four vulnerabilities, including a critical security hole, identified as CVE-2024-4058, allowing potential arbitrary code execution or sandbox escapes. Two members of Qrious Secure reported it and received a $16,000 bounty. The update also addresses two high-severity vulnerabilities, but no mention of CVE-2024-4058 being exploited in the wild.
From the meeting notes, the key takeaways are:
– Google announced the release of Chrome 124 update to address four vulnerabilities, including a critical security hole.
– The critical vulnerability, identified as CVE-2024-4058, is a type confusion bug in the ANGLE graphics layer engine with potential for arbitrary code execution or sandbox escapes with limited user interaction.
– Qrious Secure members reported CVE-2024-4058 and were awarded a $16,000 bounty by Google.
– Qrious Secure previously reported two other Chrome vulnerabilities: CVE-2024-0517 and CVE-2024-0223.
– The latest Chrome update also addressed two high-severity vulnerabilities: CVE-2024-4059 and CVE-2024-4060.
– Google has not mentioned any exploitation of CVE-2024-4058 in the wild, although it is common for threat actors to exploit type confusion bugs in Chrome.
– The new Chrome update also aims to combat cookie theft with device-bound session credentials.
Let me know if you need any further assistance or information.