Google fixes the eighth actively operated Chrome zero-day this year

Google fixes the eighth actively operated Chrome zero-day this year

Google has released a new emergency security update to address the eighth zero-day vulnerability in the Chrome browser that has been confirmed to be actively exploited in the wild.

The vulnerability was discovered internally by Google’s Clément Lecigne and is tracked as CVE-2024-5274. It’s a very serious ‘type confusion’ in V8, Chrome’s JavaScript engine responsible for executing JS code.

“Google is aware that an exploit for CVE-2024-5274 exists in the wild,” the company said in the security advisory.

A “type confusion” vulnerability occurs when a program allocates a chunk of memory to store one type of data, but incorrectly interprets the data as a different type. This may lead to crashes, data corruption, and arbitrary code execution.

Google has not shared technical details about the flaw in order to protect users from possible exploit attempts by other threat actors and allow them to install a browser version that fixes the problem.

“Access to bug details and links may be restricted until the majority of users have been updated with a fix. We will also enforce restrictions if the bug exists in a third-party library that other projects similarly depend on, but have not yet have been resolved,” the tech giant said.

Fix available on Chrome Stable

Google’s fix is ​​rolling out to Chrome’s stable channel at version 125.0.6422.112/.113 for Windows and Mac, while Linux users will get the update in the coming weeks at version 125.0.6422.112.

Chrome installs important security updates automatically and they take effect after the browser is restarted. Users can confirm they are using the latest version in the About section of the Settings menu.

If an update is available, users should wait for the update process to complete and then click the ‘Restart’ button to apply it.

Chrome update

Third actively operated zero-day this month

CVE-2024-5274 is the eighth actively exploited vulnerability Google has fixed in Chrome since the beginning of this year, and the third this month.

At the same time, Google’s previous decision to reduce the delivery of Chrome security updates from twice to once a week addresses the patch gap issue, giving attackers additional time to exploit zero-day flaws.

Actively exploited zero-day bugs in Chrome that were patched earlier this year include:

  1. CVE-2024-0519: A high-severity vulnerability in memory access beyond the limits of the Chrome V8 JavaScript engine, which allows remote attackers to exploit heap corruption via a specially crafted HTML page, leading to unauthorized access to sensitive information.
  2. CVE-2024-2887: A very serious confusion error in the WebAssembly standard (Wasm). It could lead to remote code execution (RCE) exploits using a crafted HTML page.
  3. CVE-2024-2886: A use-after-free vulnerability in the WebCodecs API used by web applications to encode and decode audio and video. Remote attackers exploited it to perform arbitrary reads and writes via crafted HTML pages, leading to remote code execution.
  4. CVE-2024-3159: A high-severity vulnerability caused by a read error in the Chrome V8 JavaScript engine. Remote attackers exploited this flaw by using specially crafted HTML pages to access data outside the allocated memory buffer, resulting in heap corruption that could be used to extract sensitive information.
  5. CVE-2024-4671: A serious use-after-free bug in the Visuals component that handles rendering and displaying content in the browser.
  6. CVE-2024-4761: An out-of-bounds write issue in Chrome’s V8 JavaScript engine, which is responsible for executing JS code in the application.
  7. CVE-2024-4947: Severe confusion vulnerability in the Chrome V8 JavaScript engine, allowing arbitrary code execution on the target device.

Leave a Reply

Your email address will not be published. Required fields are marked *