Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Sixth Exploited Chrome Zero-Day of 2024

Chrome 128 was released in the stable channel with patches for 38 vulnerabilities, including a V8 JavaScript engine flaw exploited in the wild.

Chrome

Google on Wednesday announced the release of Chrome 128 to the stable channel with patches for 38 vulnerabilities, including 20 reported by external researchers.

Of the externally reported flaws, seven are high-severity bugs, and one of them has been exploited in the wild as a zero-day.

Tracked as CVE-2024-7971 and discovered and reported by Microsoft, the exploited security defect is described as a type confusion in the V8 JavaScript engine.

While Google does not provide specific details on the issue, type confusion vulnerabilities are memory safety flaws that could result in crashes, unexpected behavior, and remote code execution.

“Google is aware that an exploit for CVE-2024-7971 exists in the wild,” the internet giant notes in its advisory, without sharing information on the observed exploitation either.

Chrome 128 resolves five other high-severity memory safety bugs, including a use-after-free in Passwords, an out-of-bounds memory access in Skia, a heap buffer overflow in Fonts, a use-after-free in Autofill, and a type confusion in V8.

A third high-severity vulnerability in V8, namely an inappropriate implementation, was also addressed with the latest Chrome release.

The browser update also fixes nine medium-severity flaws, including multiple inappropriate implementation issues and insufficient data validation bugs, and four low-severity inappropriate implementation defects.

Advertisement. Scroll to continue reading.

The internet giant says it handed out $95,000 in bug bounty rewards to the reporting researchers, with the highest payout – of $36,000 – going to an anonymous researcher who found the use-after-free bug in Passwords (CVE-2024-7964).

Google has yet to determine the amounts to be paid out for several vulnerabilities, so the final amount could be much higher.

The latest Chrome iteration is now rolling out as version 128.0.6613.84 for Linux and as versions 128.0.6613.84/.85 for macOS and Windows. Users are advised to update their browsers as soon as possible.

CVE-2024-7971 is the sixth Chrome zero-day exploited in attacks that Google has resolved this year. Four other zero-day vulnerabilities were patched after being demonstrated at hacking competitions.

Related: Chrome, Firefox Updates Patch Serious Vulnerabilities

Related: Google Patches Fourth Chrome Zero-Day in Two Weeks

Related: Telegram Zero-Day Enabled Malware Delivery

Related: Microsoft Shares Details on Critical ChromeOS Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights