Google Fixes Eighth Zero-Day Vulnerability in Chrome This Year

Google has rolled out a critical security update for Chrome, addressing the eighth zero-day vulnerability discovered in the browser this year.

This latest fix targets a high-severity type confusion flaw in the V8 JavaScript engine, which has been actively exploited in the wild.

Identified as CVE-2024-5274, the vulnerability was reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on May 20, 2024. The flaw allows attackers to exploit the vulnerability through a crafted HTML page, potentially leading to unauthorized access or execution of arbitrary code. Google's awareness of active exploits targeting this vulnerability prompted a swift response to issue a patch.

This update brings the Chrome version to 125.0.6422.112/.113 for Windows and Mac, and 125.0.6422.112 for Linux. Linux users can expect the update to roll out over the coming days and weeks, while Windows and Mac users can apply the security update immediately. As a precaution, Google has restricted access to detailed bug information until a majority of users have applied the fix.

Earlier this year, Google addressed seven other actively exploited zero-day flaws in Chrome.

• CVE-2024-0519: Out-of-bounds memory access in the Chrome V8 JavaScript engine, leading to heap corruption and unauthorized access to sensitive information.
• CVE-2024-2887: Type confusion in WebAssembly (Wasm), which could enable remote code execution through crafted HTML pages.
• CVE-2024-2886: Use-after-free vulnerability in the WebCodecs API, allowing arbitrary reads and writes and potentially remote code execution.
• CVE-2024-3159: Out-of-bounds read in the V8 JavaScript engine, exploited to access data beyond the allocated memory buffer, leading to heap corruption.
• CVE-2024-4671: Use-after-free flaw in the Visuals component, affecting content rendering and display.
• CVE-2024-4761: Out-of-bounds write in the V8 JavaScript engine, critical for executing JavaScript code.
• CVE-2024-4947: Type confusion in the V8 JavaScript engine, potentially leading to arbitrary code execution.

To protect against these vulnerabilities, users are advised to update their Chrome browser to the latest version. Enabling automatic updates ensures that the latest security fixes are received promptly, but users can check the version they're running from Settings > About Chrome, followed by a restart of the app.

Although it's good to see Google is responding to newly discovered zero-day flaws with speed, the large number of back to back critical updates is bound to create some fatigue on users. Still, given Chrome's massive popularity, it is to be expected for such a widely used software to be targeted by sophisticated threat actors who are able to discover and leverage undocumented security flaws.