Google Sounds Alarm Over Actively-Exploited 0-Day Chrome Security Flaw, Patch ASAP
Chrome is by far the most dominant browser on the market with regards to market share, so when there's an alarming security that's being actively exploited in the wild, it's a bit of a big deal. To that end, Google has issued an urgent update to Chrome that addresses that very thing. It also contains a host of other security flaws, several of which are 'High' level threats.
Google had previously issued an alert about a different security threat last week, in a blog post announcing the promotion of Chrome 128 to the stable channel for Windows, Mac, and Linux. Now several days later, Google has posted an update "to reflect in the wild exploitation" of yet another zero-day flaw, which is being tracked as CVE-2024-7965. That means it's not just a potential threat vector, but one that hackers are actively targeting.
This is the 10th such zero-day flaw so far this year. As is usually the case, there's not a lot of information to go on, as Google wisely withholds most of the juicy details until a majority of users have had the chance to patch their Chrome install. That's a tall order, given that there are billions of Chrome installs.
What we do know, however, is that CVE-2024-7965 is described as an "Inappropriate implementation in V8," which is Chrome's JavaScript engine. We also know that this could allow a hacker to remotely exploit heap corruption by way of a specially crafted HTML page. It carries a base score of 8.8 (High), which is right on the heels of being a Critical security flaw.
The previous zero-day flaw that Google sounded an alarm over is also fixed in the newest build. Tracked as CVE-2024-7971, it also carries an 8.8 base score and is a similar type of security threat (described as type confusion in V8.
Aside from those two, the latest Chrome update patches 17 other security flaws, most of which carry a "Medium" or "High" severity rating—only four carry a "Low" severity rating. One of the flaws, tracked as CVE-2024-7964, earned a security researchers a $36,000 bug bounty payment.
Chrome protects against all of outlined threats in version 128.0.6613.84/.85 in Windows and Mac, and 128.0.6613.84 in Linux. According to Google, the latest release "will roll out over the coming days/weeks."
If you don't want to wait, however, click the three vertical dots in the upper-right corner of Chrome and navigate to Help > About Google Chrome. This will initiate an automatic download of the latest release.
