Why you need to upgrade Chrome now (and say thanks to Apple hackers)
The hacking community has but one global goal: making stuff more secure for people to use at home and work. And it’s thanks to Apple hackers that I can tell you that you must upgrade Chrome now. Immediately.
When I praise the hacking community, I’m of course not talking about the cybercriminal hackers who wouldn’t know community if it bit them on the backside. They don’t have any desire to make thing safe. No, I’m talking about the people who put their talents to use in uncovering security vulnerabilities and reporting them to vendors. Even vendors they are in direct competition with.
Take the hackers who form the Apple Security Engineering and Architecture team. Because they do such a good job, I’ll forgive them using a bewildering acronym of SEAR. This week the Apple hacking team has been responsible for helping to make Google’s Chrome web browser secure. Yep, you read that right.
Google has confirmed that a critical security vulnerability, CVE-2024-10487, was uncovered by Apple’s SEAR team and disclosed on 23 October. So serious is this out-of-bounds memory issue that it was addressed by Google in a matter of a few days and led to the release of Chrome 130.0.6723.91/.92 for Windows, Mac and Linux users.
The memory issue itself affects Dawn, an open-source implementation of the WebGPU standard that provides website scripts with a high-performance method of using device graphics power.
“A memory-related bug like this could have severe repercussions if exploited, potentially allowing for remote code execution (RCE),” said Mike Walters, President and Co-Founder of Action1, a vendor of patch management solutions.
Why you need to upgrade Google Chrome now
Google hasn’t disclosed any instances of in-the-wild exploits of this one, which makes updating your Chrome browser (and any other browser that uses the Chromium engine to power it) vital as soon as possible.
Don’t rely upon the automatic updating to do all the work: you need to check that the browser has updated and that means restarting it to activate the patch.
My condolences go out to all users who never close tabs, but security needs must, sorry.
“RCE exploits are among the most dangerous,” Walters reminds us, “as they enable attackers to execute malicious code remotely, potentially taking full control of the affected systems.”
Pieter Arntz, from security vendor Malwarebytes, said that “the discovered vulnerability could allow attackers to write data beyond the allocated memory, potentially leading to code execution or system crashes.”
So, it’s something of a double whammy waiting to explode.
Talking of which, there were actually two vulnerabilities fixed in this Chrome release. The other being CVE-2024-10488, a high-severity use-after-free (UAF) vulnerability in WebRTC, an open-source audio and video communication component of the browser.
“UAF bugs can lead to significant security issues, allowing adversaries to execute arbitrary code or cause system crashes, potentially enabling denial-of-service attacks,” Walters said.
Next step: Follow our instructions on how to check your browsers are up to date!
More security advice
Davey Winder
NEXT UP
Rishi Mallik, Chief Growth Officer at Workato: “Sell how you would want to be sold to”
We interview Rishi Mallik, Chief Growth Officer at Workato, where he oversees all growth and revenue initiatives.
AI hype vs AI reality: interview with Tolga Kurtoglu, Lenovo’s Chief Technology Officer
At Lenovo Tech World 24, we interviewed Lenovo’s newly installed Chief Technology Officer, Tolga Kurtoglu, to see if he could separate the AI hype from the AI reality
The European Union’s Best Cities for Tech Workers
We crunched hundreds of data points and ranked the 45 best cities for tech workers in the European Union – here’s the list.