Google recently updated its Chrome Security Bulletin to reveal that a vulnerability in the browser, previously patched on August 21, 2024, is now being actively exploited in the wild. This marks the tenth such exploit identified this year, highlighting the increasing security challenges for one of the world's most popular web browsers.
The vulnerability, tracked as CVE-2024-7965, was originally addressed in Chrome version 128.0.6613.84, released on August 21, 2024. The flaw, categorized as a “High” severity issue, is attributed to an inappropriate implementation in V8, Chrome's open-source JavaScript and WebAssembly engine.
The bug was reported by a security researcher known as “TheDog” on July 30, 2024, and earned a reward of $11,000 under Google's bug bounty program. Despite its initial resolution, Google updated the bulletin on August 26, 2024, to reflect new information that CVE-2024-7965 is being exploited by threat actors.
It is unclear if Google discovered that threat actors were leveraging CVE-2024-7965 in attacks after the publication of the original bulletin, or if attackers have developed methods to leverage this vulnerability to compromise systems after it was publicly disclosed. In either case, this shows why it's always prudent to apply the available security updates as soon as possible, no matter what exploitation status is given for each of the fixed flaws.
Chrome, with its extensive user base across Windows, macOS, and Linux, is a prime target for cybercriminals. V8, as the engine responsible for executing JavaScript, is particularly critical to the browser's operation, making any vulnerabilities within it potentially devastating. In this case, the inappropriate implementation issue could allow attackers to execute arbitrary code, leading to a range of malicious outcomes, from data theft to further system compromise.
CISA sets deadline for the update
Today, CISA added another V8 flaw impacting Chrome/Chromium browsers onto its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2024-7971, is a type confusion vulnerability that allows remote attackers to exploit heap corruption via a crafted HTML page.
Google patched CVE-2024-7971 also in version 128.0.6613.84, together with CVE-2024-7965, hence that release addressed two actively exploited vulnerabilities. With CISA demanding that federal agencies apply the update until September 16, 2024, both flaws are covered.
Most Chrome users who have restarted their browser at least once since August 21 should have received the update automatically by now, but if you need to check manually, head to “Help”> “About Chrome” and check the indicated version. If you see a spinning circle indicating an ongoing update, wait for it to finish and click the “Relaunch” button to complete the installation.
Leave a Reply