High-Severity Google Chrome Flaw Actively Exploited in The Wild

High-Severity Google Chrome Flaw Actively Exploited in The Wild


Google has released an emergency security update for Chrome to address a zero-day vulnerability currently being exploited in the wild.

It is recommended that users upgrade to Chrome version 128.0.6613.84/.85 on Windows and macOS, and version 128.0.6613.84 on Linux to address potential security threats.

Users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also apply the necessary updates as soon as they are available.


The High-Severity Exploit

In an advisory published by Google, they confirm an active exploit for the vulnerability, identified as CVE-2024-7971.

This high-severity vulnerability stems from a type confusion issue in Chrome's V8 JavaScript engine. It was reported by security researchers from the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) on Monday. Such vulnerabilities often allow attackers to cause browser crashes by interpreting memory data as a different type than intended. However, they can also be exploited to execute arbitrary code on devices running unpatched versions of Chrome.

To address this issue, Google has released Chrome versions 128.0.6613.84/.85 for Windows and macOS, and 128.0.6613.84 for Linux. These updates will be rolled out to all users on the Stable Desktop channel over the coming weeks.

While Chrome typically updates automatically when new security patches are available, users can expedite the process by navigating to the Chrome menu, selecting Help > About Google Chrome, and allowing the update to complete before clicking the 'Relaunch' button to apply it.

Although Google confirmed that CVE-2024-7971 has been exploited in attacks, the company has not yet provided detailed information about the exploitation. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google noted.

Google also mentioned that they may continue to restrict access if the vulnerability is found in a third-party library that other projects rely on and has not yet been fixed.


Chrome Patches This Year

CVE-2024-7971 is the ninth Chrome zero-day vulnerability that Google has patched in 2024. Others include the following:

  1. CVE-2024-0519: A high-severity out-of-bounds memory access flaw in the Chrome V8 JavaScript engine, enabling remote attackers to exploit heap corruption through a specially crafted HTML page, leading to unauthorized access to sensitive data.
  2. CVE-2024-2887: A high-severity type confusion flaw in the WebAssembly (Wasm) standard, potentially allowing remote code execution (RCE) via a crafted HTML page.
  3. CVE-2024-2886: A use-after-free vulnerability in the WebCodecs API, exploited by remote attackers to perform arbitrary reads and writes via crafted HTML pages, leading to remote code execution.
  4. CVE-2024-3159: A high-severity vulnerability caused by an out-of-bounds read in the Chrome V8 JavaScript engine, exploited by remote attackers using specially crafted HTML pages to access data beyond the allocated memory buffer, resulting in heap corruption and possible data extraction.
  5. CVE-2024-4671: A high-severity use-after-free flaw in the Visuals component, which is responsible for rendering and displaying content in the browser.
  6. CVE-2024-4761: An out-of-bounds write issue in Chrome's V8 JavaScript engine, which executes JavaScript code.
  7. CVE-2024-4947: A type confusion weakness in the Chrome V8 JavaScript engine, enabling arbitrary code execution on the target device.
  8. CVE-2024-5274: A type confusion flaw in Chrome's V8 JavaScript engine that can lead to crashes, data corruption, or arbitrary code execution.


Jiří Šebestík

Nejsem si jist, hraje-li s námi Bůh stále stejnou hru. (Einstein)

5mo

dobře tak všem CHROMajzlům a Gůglistům - to je přece od začátku jen byznysplán

Like
Reply
Maria Jose Gallegos Arias

Gerente Comercial - CSM GRUPO RADICAL

5mo

Gracias por compartir

Like
Reply
Sean Murphy

Cybersecurity | Fractional Chief Security Officer | Risk Management/Mitigation | Regulatory Compliance

5mo

This is a critical update! While Chrome typically updates automatically when new security patches are available, I assume the browser needs to be restarted for it to update, correct? This is important to keep in mind for those of us who keep our browser running for days (or weeks?) with lots of tabs open…!

Like
Reply
Mauricio Ortiz, CISA

Great dad | Inspired Risk Management and Security | Cybersecurity | AI Governance | Data Science & Analytics My posts and comments are my personal views and perspectives but not those of my employer

5mo

Alert users and trigger update immediately

To view or add a comment, sign in

More articles by The Cyber Security Hub™

Insights from the community

Others also viewed

Explore topics