Google has launched emergency safety updates for the Chrome browser to handle a high-severity zero-day vulnerability tagged as exploited in assaults.
This repair comes solely three days after Google addressed one other zero-day vulnerability in Chrome, CVE-2024-4671, attributable to a use-after-free weak point within the Visuals element.
The newest bug is tracked as CVE-2024-4761. It’s an out-of-bounds write drawback impacting Chrome’s V8 JavaScript engine, which is liable for executing JS code within the software.
Out-of-bounds write points happen when a program is allowed to put in writing information exterior the desired array or buffer, probably resulting in unauthorized information entry, arbitrary code execution, or program crashes.
“Google is aware that an exploit for CVE-2024-4761 exists in the wild,” reads the advisory.
The corporate mounted the safety flaw with the discharge of 124.0.6367.207/.208 for Mac/Home windows and 124.0.6367.207 for Linux. The updates will roll out to all customers over the approaching days/weeks.
For customers of the ‘Extended Stable’ channel, fixes will probably be made accessible in model 124.0.6367.207 for Mac and Home windows.
Chrome updates mechanically when a safety replace is accessible, however customers can affirm they’re working the newest model by going to Settings > About Chrome, letting the replace end, after which clicking on the ‘Relaunch’ button to use it.
Sixth zero-day exploited in assaults
This newest Google Chrome vulnerability is the sixth zero-day bug found and stuck within the in style internet browser because the begin of the 12 months.
The corporate notes that an nameless researcher reported the flaw on Could 9, 2024, however no additional particulars have been disclosed presently.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google stated.
Chrome zero-day flaws mounted in 2024 to date embody:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak point inside the Chrome V8 JavaScript engine, permitting distant attackers to use heap corruption by way of a specifically crafted HTML web page, resulting in unauthorized entry to delicate info.
- CVE-2024-2887: A high-severity kind confusion flaw within the WebAssembly (Wasm) customary. It might result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by internet purposes to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes by way of crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability attributable to an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry information past the allotted reminiscence buffer, leading to heap corruption that might be leveraged to extract delicate info.
- CVE-2024-4671: A high-severity use-after-free flaw within the Visuals element that handles the rendering and show of content material on the browser.
