¡¾·ì϶¹«¸æ¡¿Google Chrome¿ªÊͺóʹÓ÷ì϶£¨CVE-2024-2883£©

°ä²¼¹¦·ò 2024-03-28


 

Ò»¡¢·ì϶¸ÅÊö

·ìϼûû³Æ

  Google   Chrome¿ªÊͺóʹÓ÷ì϶

CVE   ID

CVE-2024-2883

·ì϶ÀàÐÍ

Use-after-free

·¢ÏÖ¹¦·ò

2024-03-28

·ì϶ÆÀ·Ö

ÔÝÎÞ

·ì϶µÈ¼¶

ÑϳÁ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

ÎÞ

ÀûÓÃÄѶÈ

µÍ

Óû§½»»¥

ÊÇ

PoC/EXP

δ¹«¿ª

ÔÚÒ°ÀûÓÃ

δ֪

 

Google ChromeÊÇÓÉGoogle¹«Ë¾¿ª·¢µÄÒ»¿îÍøÒ³ä¯ÀÀÆ÷ ¡£

2024Äê3ÔÂ28ÈÕ £¬28ȦVSRC¼à²âµ½Google Chrome°ä²¼°²È«¸üР£¬½¨¸´ÁËANGLEÖеÄÒ»¸ö¿ªÊͺóʹÓ÷ì϶£¨CVE-2024-2883£© £¬ANGLE ÊÇChrome ºÍÆäËûÊ¢ÐÐä¯ÀÀÆ÷ÖÐʹÓõĿªÔ´¿çƽ̨ͼÐÎÒýÇæ £¬ÍþвÕß¿ÉÓÕµ¼Êܺ¦Õß½Ó¼û¶ñÒâÉè¼ÆµÄ HTMLÒ³Ãæµ¼ÖÂä¯ÀÀÆ÷±ÀÀ  £»òÖ´ÐÐËÁÒâ´úÂë ¡£

´Ë±í £¬Google Chrome»¹½¨¸´ÁËWebAssemblyÖеÄÀàÐÍ»ìºÏ·ì϶£¨CVE-2024-2887£© £¬ÍþвÕß¿Éͨ¹ý¶ñÒâÉè¼ÆµÄHTMLÒ³Ãæµ¼ÖÂËÁÒâ´úÂëÖ´ÐÐ  £»ÒÔ¼°WebCodecsÖеĿªÊͺóʹÓ÷ì϶£¨CVE-2024-2886£© £¬ÍþвÕß¿Éͨ¹ý¶ñÒâÉè¼ÆµÄHTMLÒ³ÃæÖ´ÐÐËÁÒâ¶ÁÈ¡/дÈë £¬Ä¿Ç°ÕâÁ½¸ö·ì϶¾ùÒÑ·¢ÏÖ±»ÀûÓà ¡£

 


¶þ¡¢Ó°ÏìÁìÓò

Google Chrome£¨Windows/Mac£©°æ±¾£º< 123.0.6312.86/.87

Google Chrome£¨Linux£©°æ±¾£º< 123.0.6312.86

 

Èý¡¢°²È«´ëÊ©

3.1 Éý¼¶°æ±¾

ĿǰÕâЩ·ì϶ÒѾ­½¨¸´ £¬ÊÜÓ°ÏìÓû§¿ÉÉý¼¶µ½ÒÔϰ汾£º

Google Chrome£¨Windows/Mac£©°æ±¾£º>= 123.0.6312.86/.87

Google Chrome£¨Linux£©°æ±¾£º>= 123.0.6312.86

ÏÂÔØÁ´½Ó£º

https://www.google.cn/chrome/

ÊÖ¶¯²é³­¸üУº

ChromeÓû§¿Éͨ¹ýChrome ²Ëµ¥-¡¾Ô®ÊÖ¡¿-¡¾¹ØÓÚ Google Chrome¡¿²é³­°æ±¾¸üР£¬²¢ÔÚ¸üÐÂʵÏÖºó³ÁÐÂÆô¶¯ ¡£

3.2 һʱ´ëÊ©

´Ë±í £¬Microsoft Ò²Õë¶ÔÕâЩ·ì϶°ä²¼ÁËMicrosoft Edgeä¯ÀÀÆ÷£¨»ùÓÚChromium£©²¼¸æ £¬Microsoft EdgeÓû§¿ÉÉý¼¶µ½123.0.2420.65£¨Stable£©¡¢122.0.2365.113£¨Extended Stable£©»ò¸ü¸ß°æ±¾ ¡£

3.3 ͨÓý¨Òé

l  ¶¨ÆÚ¸üÐÂϵͳ²¹¶¡ £¬Ï÷¼õϵͳ·ì϶ £¬ÌáÉý·þÎñÆ÷µÄ°²È«ÐÔ ¡£

l  ¼ÓǿϵͳºÍÍøÂçµÄ½Ó¼û½ÚÔì £¬Åú¸Ä·À»ðǽսÊõ £¬¹Ø¹Ø·Ç±ØÒªµÄÀûÓö˿ڻò·þÎñ £¬Ï÷¼õ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Â¶³öµ½¹«Íø £¬Ï÷¼õ¹¥»÷Ãæ ¡£

l  ʹÓÃÆóÒµ¼¶°²È«²úÆ· £¬ÌáÉýÆóÒµµÄÍøÂ簲ȫ»úÄÜ ¡£

l  ¼ÓǿϵͳÓû§ºÍȨÏÞÖÎÀí £¬ÆôÓöà³É·ÖÈÏÖ¤»úÔìºÍ×îÓ×ȨÏÞ×¼Ôò £¬Óû§ºÍÈí¼þȨÏÞӦά³ÖÔÚ×îµÍÏÞ¶È ¡£

l  ÆôÓÃÇ¿ÃÜÂëÕ½Êõ²¢ÉèÖÃΪ¶¨ÆÚÅú¸Ä ¡£

3.4 ²Î¿¼Á´½Ó

https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html

https://www.bleepingcomputer.com/news/security/google-fixes-chrome-zero-days-exploited-at-pwn2own-2024/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-2887

 


ËÄ¡¢°æ±¾ÐÅÏ¢

°æ±¾

ÈÕÆÚ

±¸×¢

V1.0

2024-03-28

³õ´Î°ä²¼

 

 

Îå¡¢¸½Â¼

5.1 28Ȧ¼ò½é

28Ȧ³ÉÁ¢ÓÚ1996Äê £¬ÊÇÓÉÁôÃÀ²©Ê¿ÑÏÍû¼ÑŮʿ´´½¨µÄ¡¢Õ¼ÓÐÆëÈ«×ÔÖ÷֪ʶ²úȨµÄÐÅÏ¢°²È«¸ß¿Æ¼¼ÆóÒµ ¡£ÊǹúÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢°²È«²úÆ·¡¢°²È«·þÎñ½â¾ö¹æ»®µÄÁ캽ÆóÒµÖ®Ò» ¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°28Ȧ´óÏà £¬¹«Ë¾Ô±¹¤6000ÓàÈË £¬Ñз¢ÍŶÓ1200ÓàÈË, ¼¼Êõ·þÎñÍŶÓ1300ÓàÈË ¡£ÔÚÈ«¹ú¸÷Ê¡¡¢ÊÓ×¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö £¬Õ¼Óи²¸ÇÈ«¹úµÄÏúÊÛϵͳ¡¢Çþ·ϵͳºÍ¼¼ÊõÖ§³Öϵͳ ¡£¹«Ë¾ÓÚ2010Äê6ÔÂ23ÈÕÔÚÀö½­ÖÐÓ×°å¹ÒÅÆÉÏÊÐ ¡££¨¹ÉƱ´úÂ룺002439£©

¶àÄêÀ´ £¬28ȦÖÂÁ¦ÓÚÌṩӵÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷´´Ðµİ²È«²úÆ·ºÍ×î¼Ñʵ¼Ê·þÎñ £¬Ô®ÊÖ¿Í»§È«ÃæÌáÉýÆäIT»ù´¡ÉèÊ©µÄ°²È«ÐԺͳö²úЧÁ¦ £¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢°²È«²úÒµÁì¾üÆ·ÅÆ¶ø²»Ð¸ÖÂÁ¦ ¡£

5.2 ¹ØÓÚ28Ȧ

28Ȧ°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄÒѰ䲼1000¶à¸ö·ì϶¹«¸æÎ¢·çÏÕÔ¤¾¯ £¬ÎÒÃǽ«³ÖÐø¸ú×ÙÈ«Çò×îеÄÍøÂ簲ȫÊÂÎñºÍ·ì϶ £¬ÎªÆóÒµµÄÐÅÏ¢°²È«±£¼Ý»¤º½ ¡£

¹Ø×¢ÎÒÃÇ£º

image.png