In the latest development, Google has patched yet another zero-day vulnerability in its Chrome browser, marking the second such occurrence in just four days. The vulnerability, identified as CVE-2024-4761, was disclosed by Daniel Yip, a technical program manager at Google, in a blog post on Monday. The high-severity out-of-bounds write vulnerability is related to Google Chrome’s open source V8 JavaScript engine. While the details of the vulnerability are limited due to security concerns, Google has credited an anonymous researcher for discovering the flaw.
The exploitation scope of CVE-2024-4761 remains uncertain, but it is deemed to be a significant risk for Chrome users given the escalating exploitation of zero-day vulnerabilities by malicious actors, particularly in web browsers. Google has announced that fixes for the vulnerability will be rolled out gradually over the upcoming days and weeks to ensure maximum coverage among users.
It is unclear how many users have already received the patch for CVE-2024-4761. To streamline the handling of zero-day and known vulnerabilities, Google had previously increased the frequency of security updates for Chrome. Notably, Yip emphasized in the blog post that an exploit for the vulnerability is already circulating in the wild, underscoring the urgency for users to update their browsers to the fixed versions.
Users on Mac and Windows systems are advised to update to version 124.0.6367.207/.208, while Linux Chrome users can download version 124.0.6367.207 to address CVE-2024-4761. This rapid response from Google aims to mitigate the potential risks associated with the zero-day vulnerability and protect users from potential security breaches.
In a similar context, Google had recently disclosed another high-severity zero-day vulnerability identified as CVE-2024-4671 just days prior. This vulnerability, which pertained to an issue in the Visuals component, posed a risk of memory manipulation by attackers. Google released fixes for CVE-2024-4671 in version 124.0.6367.201/.202 for Mac and Windows users, along with version 124.0.6367.201 for Linux users.
Despite these efforts, Google has refrained from attributing the zero-day attacks to specific threat actors or groups. Earlier this year, Google’s Threat Analysis Group and Mandiant had jointly published a report on zero-day vulnerability exploitation trends in 2023. The report highlighted that a majority of zero-day exploits targeting Google products and Android devices last year were linked to commercial spyware vendors.
As the situation unfolds, Google continues to enhance its security measures to address emerging threats and vulnerabilities. At the time of publication, Google had not responded to requests for further comments on the recent zero-day vulnerabilities and their impact on users. Stay tuned for more updates on this evolving story.
Arielle Waldman, a news writer for TechTarget Editorial specializing in enterprise security, contributed to this report.