CVE-2024-0333: 
vulnerability analysis and mitigation

CVE-2024-0333 is a high-severity vulnerability discovered in Google Chrome's Extensions functionality prior to version 120.0.6099.216. The vulnerability was reported by security researcher Malcolm Stagg of SODIUM-24, LLC on December 20, 2023, and was publicly disclosed on January 9, 2024. The flaw affects Google Chrome installations across Windows, Mac, and Linux operating systems (Chrome Release).

The vulnerability stems from insufficient data validation in Chrome's Extensions system. The core issue involves the manipulation of CRX files (Chrome extension format) headers and exploitation of how the Minizip library processes headers with different archive tokens. By leveraging the ZIP file format's End of Central Directory (EOCD) token and inserting an EOCD64 token, attackers could bypass signature verification processes within the 64kB size constraints (Security Online). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

The vulnerability could allow an attacker in a privileged network position to install malicious extensions via crafted HTML pages. This is particularly concerning for enterprise environments using Chrome with internal extension update servers, where an attacker on a shared network could potentially mimic the internal update server and trick employee browsers into downloading compromised extensions (Security Online).

Google has addressed this vulnerability in Chrome version 120.0.6099.216/217. The fix was implemented within 24 hours of the initial report. Users and administrators should ensure their Chrome installations are updated to this version or later. Additionally, users should exercise caution when using Chrome on public networks and only install extensions from the official Chrome Web Store (Security Online).