Google has announced the release of Chrome 128 to the stable channel for Windows, Mac, and Linux.
This update, Chrome 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac addresses a critical zero-day vulnerability actively exploited in the wild.
The update includes 38 security fixes, with particular attention to those contributed by external researchers.
Details of the Zero-Day Vulnerability
The Chrome team has been working diligently to address a zero-day vulnerability that has been actively exploited.
The vulnerability, CVE-2024-7971, involves type confusion in V8, Chrome’s open-source JavaScript engine.
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported this flaw on August 19, 2024.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial
While the specific details of the exploit remain restricted to protect users, the fix’s urgency underscores the vulnerability’s potential severity.
The Chrome team has emphasized that access to bug details and links will remain restricted until most users have updated their browsers.
This precaution ensures that users are protected before the vulnerability details are public, preventing further exploitation.
In addition to the zero-day vulnerability, the Chrome 128 update includes a wide range of security fixes.
Below is a table summarizing the key vulnerabilities addressed in this update:
Bounty | CVE ID | Severity | Description | Reported On |
$36,000 | CVE-2024-7964 | High | Use after free in Passwords | 2024-08-08 |
$11,000 | CVE-2024-7965 | High | Inappropriate implementation in V8 | 2024-07-30 |
$10,000 | CVE-2024-7966 | High | Inappropriate Implementation in Permissions | 2024-07-25 |
$7,000 | CVE-2024-7967 | High | Heap buffer overflow in Fonts | 2024-07-27 |
$1,000 | CVE-2024-7968 | High | Use after free in Autofill | 2024-06-25 |
TBD | CVE-2024-7969 | High | Type Confusion in V8 | 2024-07-09 |
TBD | CVE-2024-7971 | High | Type confusion in V8 | 2024-08-19 |
$11,000 | CVE-2024-7972 | Medium | Inappropriate implementation in V8 | 2024-06-10 |
$7,000 | CVE-2024-7973 | Medium | Heap buffer overflow in PDFium | 2024-06-06 |
$3,000 | CVE-2024-7974 | Medium | Insufficient data validation in V8 API | 2024-05-07 |
$3,000 | CVE-2024-7975 | Medium | Insufficient data validation in the Installer | 2024-06-16 |
$2,000 | CVE-2024-7976 | Medium | Inappropriate implementation in FedCM | 2024-05-10 |
$1,000 | CVE-2024-7977 | Medium | Insufficient Policy Enforcement in Data Transfer | 2024-02-11 |
$1,000 | CVE-2024-7978 | Medium | Insufficient data validation in the Installer | 2022-07-21 |
TBD | CVE-2024-7979 | Medium | Insufficient data validation in the Installer | 2024-07-29 |
TBD | CVE-2024-7980 | Medium | Inappropriate Implementation in Views | 2024-07-30 |
$1,000 | CVE-2024-7981 | Low | Inappropriate Implementation in WebApp Installs | 2023-07-14 |
$500 | CVE-2024-8033 | Low | Inappropriate implementation in WebApp Installs | 2024-06-30 |
$500 | CVE-2024-8034 | Low | Inappropriate implementation in Custom Tabs | 2024-07-18 |
TBD | CVE-2024-8035 | Low | Inappropriate implementation in Extensions | 2022-04-26 |
The Chrome team is committed to ensuring user safety and has expressed gratitude to the security researchers who contributed to these fixes.
Users are strongly encouraged to update their browsers to the latest version to protect against these vulnerabilities.
Google also plans to release more information about new features and major efforts in upcoming blog posts for Chrome and Chromium.
As cyber threats evolve, timely updates and collaboration with the security community remain crucial in safeguarding users worldwide.
Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial