As we speak, Google revealed that it patched the tenth zero-day exploited within the wild in 2024 by attackers or safety researchers throughout hacking contests.
Tracked as CVE-2024-7965 and reported by a safety researcher identified solely as TheDog, the now-patched high-severity vulnerability is described as an inappropriate implementation in Google Chrome’s V8 JavaScript engine that can let distant attackers exploit heap corruption through a crafted HTML web page.
This was introduced in an replace to a weblog submit the place the corporate revealed final week that it fastened one other high-severity zero-day vulnerability (CVE-2024-7971) attributable to a V8 kind confusion weak spot.
“Updated on 26 August 2024 to reflect the in the wild exploitation of CVE-2024-7965 which was reported after this release,” the corporate stated in right now’s replace. “Google is aware that exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild.”
Google has fastened each zero-days in Chrome model 128.0.6613.84/.85 for Home windows/macOS techniques and model 128.0.6613.84 Linux customers, which have been rolling out to all customers within the Steady Desktop channel since Wednesday.
Despite the fact that Chrome will mechanically replace when safety patches are obtainable, you may as well velocity up this course of and apply the updates manually by going to the Chrome menu > Assist > About Google Chrome, letting the replace end, and clicking the ‘Relaunch’ button to put in it.
Whereas Google confirmed that the CVE-2024-7971 and CVE-2024-7965 vulnerabilities have been used within the wild, it has but to share extra info concerning these assaults.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google says.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Because the begin of the yr, Google has patched eight different zero-days tagged as exploited in assaults or throughout the Pwn2Own hacking contest:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak spot throughout the Chrome V8 JavaScript engine, permitting distant attackers to take advantage of heap corruption through a specifically crafted HTML web page, resulting in unauthorized entry to delicate info.
- CVE-2024-2887: A high-severity kind confusion flaw within the WebAssembly (Wasm) commonplace. It might result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by internet purposes to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes through crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability attributable to an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry information past the allotted reminiscence buffer, leading to heap corruption that may very well be leveraged to extract delicate info.
- CVE-2024-4671: A high-severity use-after-free flaw within the Visuals element that handles the rendering and displaying content material within the browser.
- CVE-2024-4761: An out-of-bounds write drawback in Chrome’s V8 JavaScript engine, which is accountable for executing JS code within the utility.
- CVE-2024-4947: Sort confusion weak spot within the Chrome V8 JavaScript engine enabling arbitrary code execution on the goal gadget.
- CVE-2024-5274: A kind confusion Chrome’s V8 JavaScript engine that may result in crashes, information corruption, or arbitrary code execution