PoC Exploit Released for CVE-2024-7965 Zero-Day Chrome Vulnerability
Technical specifics and a proof-of-concept (PoC) exploit have been made available for a recently uncovered zero-day vulnerability, CVE-2024-7965, in the V8 JavaScript engine. Analyzed by experts at BI.ZONE, this critical flaw poses a significant threat, particularly to Android smartphone users and certain macOS laptops.
On August 26, Google revealed that CVE-2024-7965 had already been exploited in the wild, just days after they released version 128.0.6613.84, which includes a fix for the vulnerability. The flaw allows an attacker to take control of Chrome’s browser renderer when a user visits a malicious website loaded with specially crafted JavaScript. With a CVSS score of 8.8/10, this vulnerability is classified as highly dangerous.
The situation is further complicated by the fact that CVE-2024-7965 has been exploited in combination with CVE-2024-7964, a use-after-free vulnerability in Chrome’s password management system. Together, these vulnerabilities give attackers full control over the browser, allowing them to access sensitive data such as passwords, browsing history, and stored cookies. Even more concerning, successful exploitation opens the door for spyware installation, which can silently monitor user activity within the browser.
While Google has issued a patch for Chrome, the threat extends beyond just this browser. All Chromium-based browsers, including popular ones like Microsoft Edge, are vulnerable to this issue.
In their analysis, BI.ZONE experts discovered that CVE-2024-7965 specifically affects devices running on ARM architecture, including Apple laptops released after November 2020 and Android smartphones across all versions. This increases the attack surface significantly, making this vulnerability a serious concern for users of these devices.
The vulnerability arises from improper value handling during JavaScript code execution optimization, a flaw that allows attackers to read and write beyond legitimate memory boundaries. This can lead to the hijacking of code execution, giving cybercriminals the ability to gain full control over a compromised system.
More alarmingly, if combined with a common XSS vulnerability on a popular website’s subdomain, attackers could steal session data across the entire domain. For example, a compromised session on my.domain.com could lead to the theft of sensitive information from domain.com and its subdomains. The consequences range from the exposure of confidential data to the installation of malware on the user’s device.
The publication of proof-of-concept (PoC) exploit code for CVE-2024-7965 amplifies the threat, as it potentially enables even less-skilled attackers to leverage this vulnerability.
To safeguard against potential exploitation, users are strongly urged to update their browsers to the latest version immediately.
