Google has launched emergency security updates for the Chrome browser to handle a high-severity zero-day vulnerability tagged as exploited in assaults.
This repair comes solely three days after Google addressed one other zero-day vulnerability in Chrome, CVE-2024-4671, brought on by a use-after-free weak point within the Visuals element.
The most recent bug is tracked as CVE-2024-4761. It’s an out-of-bounds write drawback impacting Chrome’s V8 JavaScript engine, which is chargeable for executing JS code within the software.
Out-of-bounds write points happen when a program is allowed to jot down information exterior the desired array or buffer, doubtlessly resulting in unauthorized information entry, arbitrary code execution, or program crashes.
“Google is conscious that an exploit for CVE-2024-4761 exists within the wild,” reads the advisory.
The corporate mounted the security flaw with the discharge of 124.0.6367.207/.208 for Mac/Home windows and 124.0.6367.207 for Linux. The updates will roll out to all customers over the approaching days/weeks.
For customers of the ‘Prolonged Steady’ channel, fixes will likely be made obtainable in model 124.0.6367.207 for Mac and Home windows.
Chrome updates mechanically when a security replace is offered, however customers can affirm they’re operating the newest model by going to Settings > About Chrome, letting the replace end, after which clicking on the ‘Relaunch’ button to use it.
Sixth zero-day exploited in assaults
This newest Google Chrome vulnerability is the sixth zero-day bug found and stuck within the standard internet browser for the reason that begin of the yr.
The corporate notes that an nameless researcher reported the flaw on Might 9, 2024, however no additional particulars have been disclosed right now.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair. We can even retain restrictions if the bug exists in a 3rd social gathering library that different tasks equally rely on, however haven’t but mounted,” Google mentioned.
Chrome zero-day flaws mounted in 2024 thus far embrace:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak point throughout the Chrome V8 JavaScript engine, permitting distant attackers to use heap corruption by way of a specifically crafted HTML web page, resulting in unauthorized entry to delicate data.
- CVE-2024-2887: A high-severity sort confusion flaw within the WebAssembly (Wasm) normal. It might result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by internet functions to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes by way of crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability brought on by an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry information past the allotted reminiscence buffer, leading to heap corruption that might be leveraged to extract delicate data.
- CVE-2024-4671: A high-severity use-after-free flaw within the Visuals element that handles the rendering and show of content material on the browser.
