Headline
Update Chrome! Google patches actively exploited zero-day vulnerability
Google has issued a security update for the Chrome browser that includes a patch for one zero-day vulnerability.
Google has released an update for Chrome which includes four security fixes, including one for a vulnerability that has reportedly already been exploited.
The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.
So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.
If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.
After the update, the version should be 120.0.6099.224, or later
Technical details
Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.
Three vulnerabilities found by external researchers all lie in Chrome’s V8 JavaScript engine.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three V8 vulnerabilities are listed as:
CVE-2024-0517: an out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data written is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written.
CVE-2024-0518: a type confusion in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In this case, it can lead to heap corruption.
Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The heap is an area of memory made available for use by the program. The program can request blocks of memory for its use within the heap.
CVE-2024-0519: out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
An out-of-bounds memory access means that the software has access to data past the end, or before the beginning, of the intended buffer.
Google notes that it is aware of reports that an exploit for CVE-2024-0519 exists in the wild.
V8 is an open-source JavaScript and WebAssembly engine developed by the Chromium Project for Chromium and Google Chrome web browsers, so users of other Chromium based browsers, like Microsoft Edge, can expect to see similar updates in the near future.
Microsoft says it’s actively working on releasing a security patch and added:
“It’s worth highlighting that Microsoft Edge’s enhanced security mode feature mitigates this vulnerability. You can opt-in into this security feature and have peace of mind that Microsoft Edge is protecting you against this exploit.”
Use the following steps to configure enhanced security in Edge.
- In Microsoft Edge, go to Settings and more > Settings > Privacy, search, and services.
- Under Security, verify that Enhance your security on the web is enabled.
- Select the option that’s best for your browsing.
The following toggle settings are available:
- Toggle Off (Default): Feature is turned off
- Toggle On – Balanced (Recommended): Microsoft Edge will apply added security protections when users visit unfamiliar sites but bypass those protections for commonly visited sites. This combination provides a practical level of protection against attackers while preserving the user experience for a user’s usual tasks on the web.
- Toggle On – Strict: Microsoft Edge will apply added security protections for all the sites a user visits. Users may report some challenges accomplishing their usual tasks.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Related news
In recent years, the number and sophistication of zero-day vulnerabilities have surged, posing a critical threat to organizations of all sizes. A zero-day vulnerability is a security flaw in software that is unknown to the vendor and remains unpatched at the time of discovery. Attackers exploit these flaws before any defensive measures can be implemented, making zero-days a potent weapon for
Google has revealed that a security flaw that was patched as part of a security update rolled out last week to its Chrome browser has come under active exploitation in the wild. Tracked as CVE-2024-7965, the vulnerability has been described as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine. "Inappropriate implementation in V8 in Google Chrome prior to
Google has rolled out security fixes to address a high-severity security flaw in its Chrome browser that it said has come under active exploitation in the wild. Tracked as CVE-2024-7971, the vulnerability has been described as a type confusion bug in the V8 JavaScript and WebAssembly engine. "Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Gentoo Linux Security Advisory 202402-23 - Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution. Versions greater than or equal to 121.0.6167.139 are affected.
Debian Linux Security Advisory 5602-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. An exploit for CVE-2024-0519 exists in the wild.
Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw. The issue, tracked as CVE-2024-0519, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash. "By reading out-of-bounds memory, an attacker might be able to get secret values,