At the moment, Google revealed that it patched the tenth zero-day exploited within the wild in 2024 by attackers or safety researchers throughout hacking contests.
Tracked as CVE-2024-7965 and reported by a safety researcher identified solely as TheDog, the now-patched high-severity vulnerability is described as an inappropriate implementation in Google Chrome’s V8 JavaScript engine that can let distant attackers exploit heap corruption through a crafted HTML web page.
This was introduced in an replace to a weblog put up the place the corporate revealed final week that it mounted one other high-severity zero-day vulnerability (CVE-2024-7971) attributable to a V8 kind confusion weak spot.
“Up to date on 26 August 2024 to mirror the within the wild exploitation of CVE-2024-7965 which was reported after this launch,” the corporate stated in at present’s replace. “Google is conscious that exploits for CVE-2024-7971 and CVE-2024-7965 exist within the wild.”
Google has mounted each zero-days in Chrome model 128.0.6613.84/.85 for Home windows/macOS techniques and model 128.0.6613.84 Linux customers, which have been rolling out to all customers within the Steady Desktop channel since Wednesday.
Regardless that Chrome will robotically replace when safety patches are out there, you can even velocity up this course of and apply the updates manually by going to the Chrome menu > Assist > About Google Chrome, letting the replace end, and clicking the ‘Relaunch’ button to put in it.
Whereas Google confirmed that the CVE-2024-7971 and CVE-2024-7965 vulnerabilities have been used within the wild, it has but to share extra data concerning these assaults.
“Entry to bug particulars and hyperlinks could also be saved restricted till a majority of customers are up to date with a repair,” Google says.
“We may even retain restrictions if the bug exists in a 3rd celebration library that different tasks equally rely on, however have not but mounted.”
For the reason that begin of the yr, Google has patched eight different zero-days tagged as exploited in assaults or in the course of the Pwn2Own hacking contest:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak spot throughout the Chrome V8 JavaScript engine, permitting distant attackers to take advantage of heap corruption through a specifically crafted HTML web page, resulting in unauthorized entry to delicate data.
- CVE-2024-2887: A high-severity kind confusion flaw within the WebAssembly (Wasm) commonplace. It might result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by net functions to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes through crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability attributable to an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry information past the allotted reminiscence buffer, leading to heap corruption that could possibly be leveraged to extract delicate data.
- CVE-2024-4671: A high-severity use-after-free flaw within the Visuals part that handles the rendering and displaying content material within the browser.
- CVE-2024-4761: An out-of-bounds write downside in Chrome’s V8 JavaScript engine, which is chargeable for executing JS code within the utility.
- CVE-2024-4947: Sort confusion weak spot within the Chrome V8 JavaScript engine enabling arbitrary code execution on the goal system.
- CVE-2024-5274: A sort confusion Chrome’s V8 JavaScript engine that may result in crashes, information corruption, or arbitrary code execution