High-Severity Google Chrome Flaw Actively Exploited in The Wild
Google has released an emergency security update
It is recommended that users upgrade to Chrome version 128.0.6613.84/.85 on Windows and macOS, and version 128.0.6613.84 on Linux to address potential security threats.
Users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also apply the necessary updates as soon as they are available.
The High-Severity Exploit
In an advisory published by Google, they confirm an active exploit for the vulnerability, identified as CVE-2024-7971.
This high-severity vulnerability stems from a type confusion issue
To address this issue, Google has released Chrome versions 128.0.6613.84/.85 for Windows and macOS, and 128.0.6613.84 for Linux. These updates will be rolled out to all users on the Stable Desktop channel over the coming weeks.
Recommended by LinkedIn
While Chrome typically updates automatically when new security patches are available, users can expedite the process by navigating to the Chrome menu, selecting Help > About Google Chrome, and allowing the update to complete before clicking the 'Relaunch' button to apply it.
Although Google confirmed that CVE-2024-7971 has been exploited in attacks, the company has not yet provided detailed information about the exploitation. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google noted.
Google also mentioned that they may continue to restrict access if the vulnerability is found in a third-party library that other projects rely on and has not yet been fixed.
Chrome Patches This Year
CVE-2024-7971 is the ninth Chrome zero-day vulnerability that Google has patched in 2024. Others include the following:
- CVE-2024-0519: A high-severity out-of-bounds memory access flaw in the Chrome V8 JavaScript engine, enabling remote attackers to exploit heap corruption through a specially crafted HTML page, leading to unauthorized access to sensitive data
. - CVE-2024-2887: A high-severity type confusion flaw in the WebAssembly (Wasm) standard, potentially allowing remote code execution
(RCE) via a crafted HTML page. - CVE-2024-2886: A use-after-free vulnerability in the WebCodecs API, exploited by remote attackers to perform arbitrary reads and writes via crafted HTML pages, leading to remote code execution.
- CVE-2024-3159: A high-severity vulnerability caused by an out-of-bounds read in the Chrome V8 JavaScript engine, exploited by remote attackers using specially crafted HTML pages to access data beyond the allocated memory buffer, resulting in heap corruption and possible data extraction.
- CVE-2024-4671: A high-severity use-after-free flaw in the Visuals component, which is responsible for rendering and displaying content in the browser.
- CVE-2024-4761: An out-of-bounds write issue in Chrome's V8 JavaScript engine, which executes JavaScript code.
- CVE-2024-4947: A type confusion weakness in the Chrome V8 JavaScript engine, enabling arbitrary code execution on the target device.
- CVE-2024-5274: A type confusion flaw in Chrome's V8 JavaScript engine that can lead to crashes, data corruption, or arbitrary code execution.
Nejsem si jist, hraje-li s námi Bůh stále stejnou hru. (Einstein)
5modobře tak všem CHROMajzlům a Gůglistům - to je přece od začátku jen byznysplán
Gerente Comercial - CSM GRUPO RADICAL
5moGracias por compartir
Cybersecurity | Fractional Chief Security Officer | Risk Management/Mitigation | Regulatory Compliance
5moThis is a critical update! While Chrome typically updates automatically when new security patches are available, I assume the browser needs to be restarted for it to update, correct? This is important to keep in mind for those of us who keep our browser running for days (or weeks?) with lots of tabs open…!
Thanks for sharing
Great dad | Inspired Risk Management and Security | Cybersecurity | AI Governance | Data Science & Analytics My posts and comments are my personal views and perspectives but not those of my employer
5moAlert users and trigger update immediately