Google on Tuesday launched updates to repair 4 security points in its Chrome browser, together with an actively exploited zero-day flaw.
The difficulty, tracked as CVE-2024-0519, issues an out-of-bounds reminiscence entry within the V8 JavaScript and WebAssembly engine, which may be weaponized by menace actors to set off a crash.
“By studying out-of-bounds reminiscence, an attacker may be capable to get secret values, resembling reminiscence addresses, which may be bypass safety mechanisms resembling ASLR in an effort to enhance the reliability and probability of exploiting a separate weak point to attain code execution as an alternative of simply denial of service,” in line with MITRE’s Widespread Weak spot Enumeration (CWE).
Further particulars concerning the nature of the assaults and the menace actors which may be exploiting them have withheld in an try to stop additional exploitation. The difficulty was reported anonymously on January 11, 2024.
“Out-of-bounds reminiscence entry in V8 in Google Chrome previous to 120.0.6099.224 allowed a distant attacker to probably exploit heap corruption through a crafted HTML web page,” reads an outline of the flaw on the NIST’s Nationwide Vulnerability Database (NVD).
The event marks the primary actively exploited zero-day to be patched by Google in Chrome in 2024. Final yr, the tech large resolved a complete of 8 such actively exploited zero-days within the browser.
Customers are beneficial to improve to Chrome model 120.0.6099.224/225 for Home windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.
Customers of Chromium-based browsers resembling Microsoft Edge, Courageous, Opera, and Vivaldi are additionally suggested to use the fixes as and after they turn out to be out there.