Article Details
Scrape Timestamp (UTC): 2024-05-16 10:55:53.961
Original Article Text
Click to Toggle View
Google fixes third actively exploited Chrome zero-day in a week. Google has released a new emergency Chrome security update to address the third zero-day vulnerability exploited in attacks within a week. "Google is aware that an exploit for CVE-2024-4947 exists in the wild," the search giant said in a security advisory published on Wednesday. The company fixed the zero-day flaw with the release of 125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 (Linux). The new versions will roll out to all users in the Stable Desktop channel over the coming weeks. Chrome updates automatically when security patches are available. However, users can also confirm they're running the latest version by going to Chrome menu > Help > About Google Chrome, letting the update finish, and then clicking on the 'Relaunch' button to install it. Today's update was immediately available when BleepingComputer checked for new updates. The high-severity zero-day vulnerability (CVE-2024-4947) is caused by a type confusion weakness in the Chrome V8 JavaScript engine reported by Kaspersky's Vasily Berdnikov and Boris Larin. Even though such vulnerabilities generally enable threat actors to trigger browser crashes by reading or writing memory out of buffer bounds, they can also exploit them for arbitrary code execution on targeted devices. While Google confirmed the CVE-2024-4947 bug was used in attacks, the company has yet to share more details regarding these incidents. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed." Microsoft also said they're "aware of the recent exploits existing in the wild" and that they're "actively working on releasing a security fix" for the Chromium-based Edge web browser. Seventh actively exploited zero-day patched in 2024 This latest Chrome vulnerability is the seventh zero-day fixed in the Google web browser since the start of the year, with the complete list of zero-days patched in 2024 including:
Daily Brief Summary
Google has issued an emergency security update for Chrome to fix a third zero-day vulnerability exploited within a week.
The vulnerability, identified as CVE-2024-4947, involves a type confusion issue in the Chrome V8 JavaScript engine.
This high-severity flaw, reported by Kaspersky researchers, allows for arbitrary code execution on targeted devices by manipulating memory buffers.
The updated Chrome versions 125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 for Linux will be distributed to users in the Stable Desktop channel in the upcoming weeks.
Chrome users are urged to ensure their browser is updated to the latest version by manually checking via the Chrome menu and installing available updates.
Details about the attacks utilizing this vulnerability remain restricted to prevent further exploits, especially considering the bug may also exist in third-party libraries used by other projects.
This zero-day is the seventh to be addressed in Chrome in 2024, signaling a concerning trend in browser security vulnerabilities.