Google has launched a brand new emergency Chrome safety replace to handle the third zero-day vulnerability exploited in assaults inside per week.
“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” the search large mentioned in a safety advisory revealed on Wednesday.
The high-severity zero-day vulnerability (CVE-2024-4947) is brought on by a sort confusion weak spot within the Chrome V8 JavaScript engine reported by Kaspersky’s Vasily Berdnikov and Boris Larin.
Though such flaws typically allow menace actors to set off browser crashes by studying or writing reminiscence out of buffer bounds, they will additionally exploit them for arbitrary code execution on focused gadgets.
The opposite two actively exploited Chrome zero-days patched this week are CVE-2024-4671 (a use-after-free flaw within the Visuals part) and CVE-2024-4761 (an out-of-bounds write bug within the V8 JavaScript engine).
Microsoft additionally mentioned it is “aware of the recent exploits existing in the wild” focusing on CVE-2024-4947 and that its engineers are “actively working on releasing a security fix” for the Chromium-based Edge net browser.
Repair rolling out to Steady channel customers
The corporate fastened the zero-day flaw with the discharge of 125.0.6422.60/.61 for Mac/Home windows and 125.0.6422.60 (Linux). The brand new variations will roll out to all customers within the Steady Desktop channel over the approaching weeks.
Chrome updates mechanically when safety patches can be found. Nevertheless, customers can even affirm they’re working the newest model by going to Chrome menu > Assist > About Google Chrome, letting the replace end, after which clicking on the ‘Relaunch’ button to put in it.
As we speak’s replace was instantly out there when BleepingComputer checked for brand new updates.
Seventh actively exploited zero-day patched in 2024
Whereas Google confirmed the CVE-2024-4947 bug was utilized in assaults, the corporate has but to share extra particulars concerning these incidents.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google mentioned.
This newest Chrome vulnerability is the seventh zero-day fastened within the Google net browser for the reason that begin of the 12 months, with the entire record of zero-days patched in 2024 together with:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak spot inside the Chrome V8 JavaScript engine, permitting distant attackers to use heap corruption through a specifically crafted HTML web page, resulting in unauthorized entry to delicate data.
- CVE-2024-2887: A high-severity sort confusion flaw within the WebAssembly (Wasm) normal. It might result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by net functions to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes through crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability brought on by an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry information past the allotted reminiscence buffer, leading to heap corruption that might be leveraged to extract delicate data.
- CVE-2024-4671: A high-severity use-after-free flaw within the Visuals part that handles the rendering and displaying content material within the browser.
- CVE-2024-4761: An out-of-bounds write drawback in Chrome’s V8 JavaScript engine, which is chargeable for executing JS code within the software.