It’s a pretty interesting attack to learn about for a newcomer in cybersecurity.
While Google did not disclose the complete inner workings of how and why the attack works, what we do know is that it begins in the part of Chrome that handles the visuals in the browser (the part that shows the content to us).
The attack has been done before, and it’s commonly known as the use-after-free attack. I’ll put a full definition with a simple to understand example in the Clear-Cut Definitions section; however, to summarize it simply: an attacker being able to run code because there’s an empty block in the memory that can still be used.
Known as CVE-2024-4671, the attack can definitely do a lot of damage because if the hacker gets access to that memory block, they can literally put whatever code they want inside of it.
Would you want someone having access to your car and doings things behind your back? I wouldn’t.
Updates will slowly be released, but for the time being… just update your browser (or switch over to something better like Bing 😂)
Clear-Cut Definitions
Zero-Day Attack: An attack that occurs without the creators of an application or software knowing about the attack.
Use-After-Free Attack: When a piece of memory is being used, there is something there that points to that memory (a pointer) that tells the computer, ‘Hey! Use this right here!’ When the memory is deallocated (not being used), the pointer then moves. The cause of this attack arises when the memory is deallocated, but the pointer doesn’t move and stays on that empty memory block. An attacker can go access into that empty memory, put a code that is harmful, and when the memory and pointer run again, that harmful code will run too.
Imagine you own a nice car. You take the car out for a ride and come back home, but you forget that the keys are still in the ignition. When you’re inside your house sleeping, someone takes your car, goes into the engine, and adds stuff in the car that makes it non-functioning. The next morning, you try turning your car on and it works, but after 5 minutes of driving, it completely breaks down.
CVE (Common Vulnerabilities and Exposures): A list and official ranking system out of 10 for big computer vulnerabilities. The list can range from no risk (rating of 0) to critical risk (rating of 10).