In a recent security update, Google disclosed that it has patched its tenth zero-day vulnerability exploited in the wild this year. The newly addressed issue, tracked as CVE-2024-7965, was reported by a security researcher known only as TheDog and involves a high-severity flaw in Chrome’s V8 JavaScript engine. This vulnerability, described as an inappropriate implementation, could allow remote attackers to exploit heap corruption through a specially crafted HTML page.
This update follows last week’s disclosure of another significant zero-day vulnerability (CVE-2024-7971), also related to the V8 JavaScript engine, which was caused by a type confusion issue. The recent announcement was made via a blog post update, highlighting the critical nature of the vulnerability. Google confirmed that both CVE-2024-7971 and CVE-2024-7965 are actively being exploited in the wild.
Users are encouraged to update to Chrome version 128.0.6613.84/.85 for Windows/macOS or version 128.0.6613.84 for Linux, which includes fixes for both vulnerabilities. These updates have been rolling out to all users in the Stable Desktop channel since Wednesday. To expedite the update process, users can manually check for updates by navigating to Chrome’s menu, selecting “Help,” then “About Google Chrome,” and applying the update before clicking the ‘Relaunch’ button.
Despite confirming the existence of active exploits, Google has not yet provided detailed information about the nature of these attacks. The company has stated that access to detailed bug information and related links may be restricted until a majority of users have received the update. This measure also applies if the bug exists in third-party libraries that other projects rely on and have not yet patched.
Since the beginning of the year, Google has addressed eight other zero-day vulnerabilities identified as exploited in various attacks or during the Pwn2Own hacking contest. These include:
- CVE-2024-0519: A high-severity out-of-bounds memory access flaw within the Chrome V8 JavaScript engine, allowing remote exploitation via crafted HTML pages.
- CVE-2024-2887: A high-severity type confusion vulnerability in WebAssembly (Wasm) leading to potential remote code execution (RCE).
- CVE-2024-2886: A use-after-free flaw in the WebCodecs API enabling arbitrary reads and writes via crafted HTML pages.
- CVE-2024-3159: A high-severity out-of-bounds read issue in the Chrome V8 JavaScript engine, allowing sensitive data extraction.
- CVE-2024-4671: A high-severity use-after-free vulnerability in the Visuals component of Chrome.
- CVE-2024-4761: An out-of-bounds write problem within the V8 JavaScript engine.
- CVE-2024-4947: A type confusion issue in the V8 JavaScript engine enabling arbitrary code execution.
- CVE-2024-5274: A type confusion vulnerability in the V8 JavaScript engine, leading to potential crashes or data corruption.
Google continues to prioritize security and urges users to stay updated with the latest patches to mitigate potential risks.
Related topics:
Which Industries Can Benefit Most from Sora’s Technology?