Google has recently issued an emergency security update for Chrome in response to the discovery of a third zero-day vulnerability that has been exploited in attacks over the past week. The search giant acknowledged the existence of an exploit for CVE-2024-4947, a high-severity zero-day vulnerability caused by a type confusion weakness in the Chrome V8 JavaScript engine.
Typically, vulnerabilities like these could allow threat actors to initiate browser crashes by either reading or writing memory out of buffer bounds. However, they can also be exploited for arbitrary code execution on targeted devices. This latest zero-day flaw is one of three actively exploited Chrome vulnerabilities that have been patched this week. The other two vulnerabilities are CVE-2024-4671, which is a use-after-free flaw in the Visuals component, and CVE-2024-4761, an out-of-bounds write bug in the V8 JavaScript engine.
In response to these security concerns, Microsoft has also acknowledged the existence of these exploits in the wild and is actively working on releasing a security fix for the Chromium-based Edge web browser. Google has rolled out the fix for the zero-day vulnerability in Chrome through the release of versions 125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 for Linux. These updated versions will gradually be made available to all users in the Stable Desktop channel in the coming weeks.
Chrome users can ensure they have the latest version installed by checking for updates in the Chrome menu under ‘Help’ and then selecting ‘About Google Chrome’. If an update is available, users can click on the ‘Relaunch’ button to install it. The update was immediately accessible when BleepingComputer checked for new updates.
This latest zero-day vulnerability is the seventh such issue fixed by Google this year. The complete list of zero-days patched in 2024 includes CVE-2024-0519, CVE-2024-2887, CVE-2024-2886, CVE-2024-3159, CVE-2024-4671, and CVE-2024-4761, in addition to the most recent CVE-2024-4947. These vulnerabilities have been identified in different components of the Chrome browser, such as the V8 JavaScript engine, WebAssembly, WebCodecs API, and Visuals component.
While Google has confirmed that the CVE-2024-4947 vulnerability has been used in attacks, details about these incidents have not been publicly disclosed. The company stated that access to bug details and links may be restricted until a majority of users have been updated with a fix and if the bug exists in a third-party library that other projects depend on but have not yet fixed.
Overall, the rollout of this emergency security update aims to enhance the protection of Chrome users against potential threats and cyber attacks targeting these vulnerabilities. Users are encouraged to update their browsers promptly to ensure they are safeguarded against any potential exploits of these zero-day vulnerabilities.