SCMagazine.com reported that “Google issued a Windows and Mac patch for a critical Chrome bug, and will roll out a Linux patch in the coming days and weeks. In an April 24 blog post, Google said the flaw — CVE-2024-4058 — was a type confusion in ANGLE, Google Chrome’s graphics layer engine. The large tech vendor made no mention as to whether the flaw was exploited in the wild, but past reporting by SC Media indicates that threat actors do exploit type confusions in Google Chrome.”  The April 24, 2024 article entitled “Google patches critical type-confusion flaw in Chrome browser” (https://tinyurl.com/2rvp2kct) included these comments:

A type confusion — also known as type manipulation — operates as an attack vector that can occur in interpreted languages such as JavaScript and PHP that use dynamic typing. In dynamic typing, the type of a variable gets identified and updated at runtime instead of at compile-time in a statically typed programming language.

Given that Google assigned a “critical” rating to this flaw, there’s a high potential that attackers could launch arbitrary code execution or sandbox escapes in an automated fashion and with little or no user interaction.

Google credited two members of Qrious Secure — Toan (suto) Pham and Bao (zx) Pham — for reporting the critical flaw on April 2, awarding a $16,000 bug bounty for their findings.

Given the wide-spread use of Google this not a surprise!

First published at https://www.vogelitlaw.com/blog/are-you-surprised-that-threat-actors-target-google