Chrome Zero-day Vulnerability Actively Exploited in the Wild


Google has announced the release of Chrome 128 to the stable channel for Windows, Mac, and Linux.

This update, Chrome 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac addresses a critical zero-day vulnerability actively exploited in the wild.

The update includes 38 security fixes, with particular attention to those contributed by external researchers.

Details of the Zero-Day Vulnerability

The Chrome team has been working diligently to address a zero-day vulnerability that has been actively exploited.

The vulnerability, CVE-2024-7971, involves type confusion in V8, Chrome’s open-source JavaScript engine.

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported this flaw on August 19, 2024.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

While the specific details of the exploit remain restricted to protect users, the fix’s urgency underscores the vulnerability’s potential severity.

The Chrome team has emphasized that access to bug details and links will remain restricted until most users have updated their browsers.

This precaution ensures that users are protected before the vulnerability details are public, preventing further exploitation.

In addition to the zero-day vulnerability, the Chrome 128 update includes a wide range of security fixes.

Below is a table summarizing the key vulnerabilities addressed in this update:

Bounty CVE ID Severity Description Reported On
$36,000 CVE-2024-7964 High Use after free in Passwords 2024-08-08
$11,000 CVE-2024-7965 High Inappropriate implementation in V8 2024-07-30
$10,000 CVE-2024-7966 High Inappropriate Implementation in Permissions 2024-07-25
$7,000 CVE-2024-7967 High Heap buffer overflow in Fonts 2024-07-27
$1,000 CVE-2024-7968 High Use after free in Autofill 2024-06-25
TBD CVE-2024-7969 High Type Confusion in V8 2024-07-09
TBD CVE-2024-7971 High Type confusion in V8 2024-08-19
$11,000 CVE-2024-7972 Medium Inappropriate implementation in V8 2024-06-10
$7,000 CVE-2024-7973 Medium Heap buffer overflow in PDFium 2024-06-06
$3,000 CVE-2024-7974 Medium Insufficient data validation in V8 API 2024-05-07
$3,000 CVE-2024-7975 Medium Insufficient data validation in the Installer 2024-06-16
$2,000 CVE-2024-7976 Medium Inappropriate implementation in FedCM 2024-05-10
$1,000 CVE-2024-7977 Medium Insufficient Policy Enforcement in Data Transfer 2024-02-11
$1,000 CVE-2024-7978 Medium Insufficient data validation in the Installer 2022-07-21
TBD CVE-2024-7979 Medium Insufficient data validation in the Installer 2024-07-29
TBD CVE-2024-7980 Medium Inappropriate Implementation in Views 2024-07-30
$1,000 CVE-2024-7981 Low Inappropriate Implementation in WebApp Installs 2023-07-14
$500 CVE-2024-8033 Low Inappropriate implementation in WebApp Installs 2024-06-30
$500 CVE-2024-8034 Low Inappropriate implementation in Custom Tabs 2024-07-18
TBD CVE-2024-8035 Low Inappropriate implementation in Extensions 2022-04-26

The Chrome team is committed to ensuring user safety and has expressed gratitude to the security researchers who contributed to these fixes.

Users are strongly encouraged to update their browsers to the latest version to protect against these vulnerabilities.

Google also plans to release more information about new features and major efforts in upcoming blog posts for Chrome and Chromium.

As cyber threats evolve, timely updates and collaboration with the security community remain crucial in safeguarding users worldwide.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial



Source link