Google has launched a brand new emergency Chrome safety replace to handle the third zero-day vulnerability exploited in assaults inside per week.
“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” the search big mentioned in a safety advisory revealed on Wednesday.
The corporate fastened the zero-day flaw with the discharge of 125.0.6422.60/.61 for Mac/Home windows and 125.0.6422.60 (Linux). The brand new variations will roll out to all customers within the Steady Desktop channel over the approaching weeks.
Chrome updates routinely when safety patches can be found. Nevertheless, customers also can verify they’re working the newest model by going to Chrome menu > Assist > About Google Chrome, letting the replace end, after which clicking on the ‘Relaunch’ button to put in it.
At the moment’s replace was instantly accessible when BleepingComputer checked for brand spanking new updates.
The high-severity zero-day vulnerability (CVE-2024-4947) is attributable to a kind confusion weak point within the Chrome V8 JavaScript engine reported by Kaspersky’s Vasily Berdnikov and Boris Larin.
Regardless that such vulnerabilities typically allow menace actors to set off browser crashes by studying or writing reminiscence out of buffer bounds, they will additionally exploit them for arbitrary code execution on focused gadgets.
Whereas Google confirmed the CVE-2024-4947 bug was utilized in assaults, the corporate has but to share extra particulars relating to these incidents.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google mentioned.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Seventh actively exploited zero-day patched in 2024
This newest Chrome vulnerability is the seventh zero-day fastened within the Google internet browser for the reason that begin of the 12 months, with the whole record of zero-days patched in 2024 together with:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak point throughout the Chrome V8 JavaScript engine, permitting distant attackers to take advantage of heap corruption through a specifically crafted HTML web page, resulting in unauthorized entry to delicate info.
- CVE-2024-2887: A high-severity kind confusion flaw within the WebAssembly (Wasm) commonplace. It may result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by internet purposes to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes through crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability attributable to an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry knowledge past the allotted reminiscence buffer, leading to heap corruption that might be leveraged to extract delicate info.
- CVE-2024-4671: A high-severity use-after-free flaw within the Visuals element that handles the rendering and displaying content material within the browser.
- CVE-2024-4761: An out-of-bounds write drawback in Chrome’s V8 JavaScript engine, which is chargeable for executing JS code within the utility.
