Google has released an emergency security update for its Chrome browser to address a high-severity zero-day vulnerability, identified as CVE-2024-4761, which has been actively exploited in attacks. This update follows closely on the heels of another zero-day flaw, CVE-2024-4671, which was patched three days earlier and was linked to a use-after-free issue in the Visuals component.
JavaScript Engine Vulnerability
The newly identified bug, CVE-2024-4761, is an out-of-bounds write issue affecting Chrome’s V8 JavaScript engine, which is responsible for executing JavaScript code within the browser. Out-of-bounds write errors occur when a program writes data outside the allocated memory buffer, potentially leading to unauthorized data access, arbitrary code execution, or system crashes. Google has confirmed the existence of an exploit for this vulnerability in the wild.
Update Details and User Instructions
The security flaw has been addressed with the release of Chrome versions 124.0.6367.207/.208 for Mac and Windows, and 124.0.6367.207 for Linux. These updates will be rolled out to all users over the next few days or weeks. For those using the ‘Extended Stable’ channel, the fixes will be included in version 124.0.6367.207 for both Mac and Windows. Chrome typically updates automatically when a new security patch is available, but users can manually verify they are running the latest version by navigating to Settings > About Chrome, allowing the update to complete, and then clicking the ‘Relaunch’ button to apply it.
Overview of 2024 Zero-Day Vulnerabilities
This latest security issue marks the sixth zero-day vulnerability in Chrome to be discovered and addressed in 2024. The flaw was reported by an anonymous researcher on May 9, 2024. Google has stated that detailed information about the bug and related links may remain restricted until a majority of users have received the update. Restrictions will also persist if the vulnerability exists in a third-party library that other projects depend on but have not yet fixed.
Previously fixed zero-day vulnerabilities in Chrome this year include:
- CVE-2024-0519: An out-of-bounds memory access issue in the V8 JavaScript engine, allowing remote attackers to exploit heap corruption through specially crafted HTML pages, leading to unauthorized access to sensitive information.
- CVE-2024-2887: A high-severity flaw that allowed attackers to execute arbitrary code by exploiting a memory corruption issue.
To find out more, please visit the Chrome Security Page. If you are interested in switching release channels can find more information on the Chromium website. If you encounter new issues, you can file a bug report or seek assistance through the community help forum.
Last Updated on November 7, 2024 8:29 pm CET