Microsoft Edge fixes 0-day vulnerability: confirms all Chromium-based browsers vulnerable

Martin Brinkmann
Mar 29, 2024
Microsoft Edge
|
13

Microsoft released a security update for its Edge web browser that address several security issues, including one that is exploited in the wild.

Google released security updates for its Chrome web browser on March 26, 2024. The official release announcement on the Chrome Releases Blog did not reveal that Google was aware that one of the issues was exploited in the wild.

The critical security issue CVE-2024-2883 -- Use after free in ANGLE -- was fixed in Chrome Stable and Chrome Extended Stable on March 26, 2024.

Microsoft pulled an earlier release of Microsoft Edge 123. The company has now released 123.0.2420.65, which addresses eight unique security issues in the browser.

One of them is CVE-2024-2883, which affects all Chromium-based browsers. The official CVE page on Microsoft's website reveals that the issue is already attacked in the wild.

Microsoft writes: "Google is aware that an exploit for CVE-2024-2883 exists in the wild."

The Microsoft Edge release notes page confirms this as well: "This update to Stable channel contains a fix for CVE-2024-2883, which has been reported by the Chromium team as having an exploit in the wild."

This confirms that all Chromium-based browsers, including Google Chrome, are affected by the issue. ANGLE or the ANGLE Project, stands for Almost Native Graphics Layer Engine.

Google announced ANGLE in 2010 and described its goal in the following way: "The goal of ANGLE is to layer WebGL's subset of the OpenGL ES 2.0 API over DirectX 9.0c API calls. [..] it will enable browsers like Google Chrome to run WebGL content on Windows computers without having to rely on OpenGL drivers."

Update immediately

Microsoft Edge 123 critical security update

Chromium-based browser users may want to update the browser immediately, provided that an update is available.

Most may load chrome://settings/help in the browser's address bar to open the about page. The "chrome" protocol is usually redirected to the browser's specific protocol. This is edge:// for Microsoft Edge, or vivaldi:// for Vivaldi.

It lists the current version that is installed on the system. The browser checks for updates when the page is opened. Any update that is found is downloaded and installed at this point. Note that you need to restart the browser to complete the installation of the update.

Microsoft Edge should list version 123.0.2420.65 after installation of the update.

Load the page in any Chromium-based browser installed to make sure that it is up to date. Not all browser makers may push out updates immediately. If that is the case, check back at a later point in time.

Closing Words

Mozilla patched two 0-day vulnerabilities in its Firefox web browser as well this week. The patch was released days after the release of Firefox 124.0.

It is important to keep an eye on browser updates that companies release. This allows you to react quickly to major issues that could potentially put your data and systems at risk.

Now You: when do you update your browsers?

Summary
Microsoft Edge fixes 0-day vulnerability: confirms all Chromium-based browsers vulnerable
Article Name
Microsoft Edge fixes 0-day vulnerability: confirms all Chromium-based browsers vulnerable
Description
Microsoft released a security update for its Microsoft Edge web browser that patches several security issues, including one critical issue that is exploited in the wild.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «

Comments

  1. Security Research said on April 4, 2024 at 5:59 pm
    Reply

    Nice article, thanks for linking the Microsoft release notes, I was wondering why they hadn’t released a patch for CVE-2024-3159/8/6 yet!

  2. Tony said on April 2, 2024 at 3:21 am
    Reply

    Me over here noticing Firefox introduced Vertical tabs in the latest Nightly, with no mention anywhere from Ghacks.

  3. melissa said on March 31, 2024 at 1:00 am
    Reply

    @Bobo,

    > Who knew Microsoft employees can also be useful:

    This assumes M$ was not behind it.

  4. Bobo said on March 30, 2024 at 12:52 pm
    Reply

    Who knew Microsoft employees can also be useful: https://images2.imgbox.com/e1/e4/K7AvdEnL_o.png
    This guy basically saved linux from a world of hurt: https://access.redhat.com/security/cve/CVE-2024-3094#cve-cvss-v3 FULL SCORE! 10!
    Here’s what happened: https://www.openwall.com/lists/oss-security/2024/03/29/4
    These Finns, whose repo got SOILED by Jia Tan, are now having a great Easter I’m sure…
    https://tukaani.org/about.html

  5. Tachy said on March 29, 2024 at 2:16 pm
    Reply

    I’ve not had my coffee yet so…. Anyways, I get emails from M$ about security issues. Anyone can sign up. I update edge as soon as they say a security update is available.

    1. Allwynd said on March 31, 2024 at 6:41 pm
      Reply

      LOL

  6. John G. said on March 29, 2024 at 1:52 pm
    Reply

    Why don’t they use the AI to make a better Chrome? Thanks for the article! :]

    1. Nonya said on March 29, 2024 at 2:26 pm
      Reply

      The finance AI told them that security concerns don’t have a positive ROI.

      1. Tachy said on March 30, 2024 at 4:17 pm
        Reply

        That’s SOP.

  7. Anonymous said on March 29, 2024 at 12:26 pm
    Reply

    Off Topic.

    On Distrowatch this week there is a comment w.r.t. Python-repository invaded with malware, making all Linux-distros suspect.
    https://distrowatch.com/weekly.php?issue=current&mode=67#comments (comment 28 and further).

    See also: https://www.bleepingcomputer.com/news/security/hundreds-of-malicious-python-packages-found-stealing-sensitive-data/

    If this is as true as is seems, this is the end of Linux-OS and BSD-OS.

    Anybody with better knowledge, any comment?

    1. Andy Prough said on March 29, 2024 at 5:23 pm
      Reply

      >”If this is as true as is seems, this is the end of Linux-OS and BSD-OS.”

      The article you linked to is about fake python packages which contain malware that targets Microsoft Windows systems. Doesn’t have anything to do with any GNU/Linux distros or any of the BSD’s.

      1. Anonymous said on March 30, 2024 at 12:20 am
        Reply

        Thanks for your comment/explanation (also at Distrowatch).
        Still, I follow the explanations very closely.

        RedHat warns a new backdoor (XZ malware) is found, which concerns Linux (message 52 DW).

    2. Nonya said on March 29, 2024 at 2:25 pm
      Reply

      Have done limited research however the python ecosystem infestation does seem accurate.

      This is why defense in depth is so important to managing your network and systems. In my opinion, there are several practices that can mitigate the risks. Not all inclusive, just the basics:

      1. Have a solid network edge firewall in place ( pfSense, etc ), lock it down tight and have solid monitoring plans and practices in place. Tools like Surricata, Snort, Zeek, pfBlocker-NG with appropriate lists, and others all help but there is work involved. Monitoring and blocking data-exfiltration is key. Take network segmentation / blocking seriously, I have seen mouse drivers try to “dial home” over IPv6 in the logs. UFW or IPTables rules on each system are also recommended. If you don’t need it, block it.

      2. Limit which repos are in your package manager sources.list to the bare minimum needed. Taking the “latest and greatest” isn’t the best option here. Forced automated updates can also be forced automated infections.

      Locking systems down to just, say, the debian-security repo or equivelant significantly reduces your attack surface and chances to pull in one of the infected packages. If you want to try something new, give it a shot in QEMU/KVM first and monitor for malicious behaviour.

      3. Use appropriate security permissions for everything. If the python package can’t access your sensitive data or even a network interface, it gives time to identify issues before damage is done. This is a pain but nothing compared to untangling accounts or data-breaches.

      4. Apparmor, SE-Linux or similar tools (eg, linux namespaces) are your friends. Again, a pain to get set up correctly however nothing compared to the alternative.

      5. If in doubt, download the source and review it before installing.

      ——————-

      Sure I have missed stuff in the list above and have no issues at all with corrections or additions. Ultimately, most IT security falls within the principle of least privs and principle of segregated responsibility. Getting those two principles applied in practice are not trivial though…

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.