Microsoft Edge fixes 0-day vulnerability: confirms all Chromium-based browsers vulnerable
Microsoft released a security update for its Edge web browser that address several security issues, including one that is exploited in the wild.
Google released security updates for its Chrome web browser on March 26, 2024. The official release announcement on the Chrome Releases Blog did not reveal that Google was aware that one of the issues was exploited in the wild.
The critical security issue CVE-2024-2883 -- Use after free in ANGLE -- was fixed in Chrome Stable and Chrome Extended Stable on March 26, 2024.
Microsoft pulled an earlier release of Microsoft Edge 123. The company has now released 123.0.2420.65, which addresses eight unique security issues in the browser.
One of them is CVE-2024-2883, which affects all Chromium-based browsers. The official CVE page on Microsoft's website reveals that the issue is already attacked in the wild.
Microsoft writes: "Google is aware that an exploit for CVE-2024-2883 exists in the wild."
The Microsoft Edge release notes page confirms this as well: "This update to Stable channel contains a fix for CVE-2024-2883, which has been reported by the Chromium team as having an exploit in the wild."
This confirms that all Chromium-based browsers, including Google Chrome, are affected by the issue. ANGLE or the ANGLE Project, stands for Almost Native Graphics Layer Engine.
Google announced ANGLE in 2010 and described its goal in the following way: "The goal of ANGLE is to layer WebGL's subset of the OpenGL ES 2.0 API over DirectX 9.0c API calls. [..] it will enable browsers like Google Chrome to run WebGL content on Windows computers without having to rely on OpenGL drivers."
Update immediately
Chromium-based browser users may want to update the browser immediately, provided that an update is available.
Most may load chrome://settings/help in the browser's address bar to open the about page. The "chrome" protocol is usually redirected to the browser's specific protocol. This is edge:// for Microsoft Edge, or vivaldi:// for Vivaldi.
It lists the current version that is installed on the system. The browser checks for updates when the page is opened. Any update that is found is downloaded and installed at this point. Note that you need to restart the browser to complete the installation of the update.
Microsoft Edge should list version 123.0.2420.65 after installation of the update.
Load the page in any Chromium-based browser installed to make sure that it is up to date. Not all browser makers may push out updates immediately. If that is the case, check back at a later point in time.
Closing Words
Mozilla patched two 0-day vulnerabilities in its Firefox web browser as well this week. The patch was released days after the release of Firefox 124.0.
It is important to keep an eye on browser updates that companies release. This allows you to react quickly to major issues that could potentially put your data and systems at risk.
Now You: when do you update your browsers?
Nice article, thanks for linking the Microsoft release notes, I was wondering why they hadn’t released a patch for CVE-2024-3159/8/6 yet!
Me over here noticing Firefox introduced Vertical tabs in the latest Nightly, with no mention anywhere from Ghacks.
@Bobo,
> Who knew Microsoft employees can also be useful:
This assumes M$ was not behind it.
Who knew Microsoft employees can also be useful: https://images2.imgbox.com/e1/e4/K7AvdEnL_o.png
This guy basically saved linux from a world of hurt: https://access.redhat.com/security/cve/CVE-2024-3094#cve-cvss-v3 FULL SCORE! 10!
Here’s what happened: https://www.openwall.com/lists/oss-security/2024/03/29/4
These Finns, whose repo got SOILED by Jia Tan, are now having a great Easter I’m sure…
https://tukaani.org/about.html
I’ve not had my coffee yet so…. Anyways, I get emails from M$ about security issues. Anyone can sign up. I update edge as soon as they say a security update is available.
LOL
Why don’t they use the AI to make a better Chrome? Thanks for the article! :]
The finance AI told them that security concerns don’t have a positive ROI.
That’s SOP.
Off Topic.
On Distrowatch this week there is a comment w.r.t. Python-repository invaded with malware, making all Linux-distros suspect.
https://distrowatch.com/weekly.php?issue=current&mode=67#comments (comment 28 and further).
See also: https://www.bleepingcomputer.com/news/security/hundreds-of-malicious-python-packages-found-stealing-sensitive-data/
If this is as true as is seems, this is the end of Linux-OS and BSD-OS.
Anybody with better knowledge, any comment?
>”If this is as true as is seems, this is the end of Linux-OS and BSD-OS.”
The article you linked to is about fake python packages which contain malware that targets Microsoft Windows systems. Doesn’t have anything to do with any GNU/Linux distros or any of the BSD’s.
Thanks for your comment/explanation (also at Distrowatch).
Still, I follow the explanations very closely.
RedHat warns a new backdoor (XZ malware) is found, which concerns Linux (message 52 DW).
Have done limited research however the python ecosystem infestation does seem accurate.
This is why defense in depth is so important to managing your network and systems. In my opinion, there are several practices that can mitigate the risks. Not all inclusive, just the basics:
1. Have a solid network edge firewall in place ( pfSense, etc ), lock it down tight and have solid monitoring plans and practices in place. Tools like Surricata, Snort, Zeek, pfBlocker-NG with appropriate lists, and others all help but there is work involved. Monitoring and blocking data-exfiltration is key. Take network segmentation / blocking seriously, I have seen mouse drivers try to “dial home” over IPv6 in the logs. UFW or IPTables rules on each system are also recommended. If you don’t need it, block it.
2. Limit which repos are in your package manager sources.list to the bare minimum needed. Taking the “latest and greatest” isn’t the best option here. Forced automated updates can also be forced automated infections.
Locking systems down to just, say, the debian-security repo or equivelant significantly reduces your attack surface and chances to pull in one of the infected packages. If you want to try something new, give it a shot in QEMU/KVM first and monitor for malicious behaviour.
3. Use appropriate security permissions for everything. If the python package can’t access your sensitive data or even a network interface, it gives time to identify issues before damage is done. This is a pain but nothing compared to untangling accounts or data-breaches.
4. Apparmor, SE-Linux or similar tools (eg, linux namespaces) are your friends. Again, a pain to get set up correctly however nothing compared to the alternative.
5. If in doubt, download the source and review it before installing.
——————-
Sure I have missed stuff in the list above and have no issues at all with corrections or additions. Ultimately, most IT security falls within the principle of least privs and principle of segregated responsibility. Getting those two principles applied in practice are not trivial though…