HomeWinBuzzer NewsGoogle Releases Emergency Chrome Update for Third Zero-Day in a Week

Google Releases Emergency Chrome Update for Third Zero-Day in a Week

Google Chrome fixes third zero-day in a week (CVE-2024-4947), update to v125.0.6422.60/61 for Mac/Windows, 125.0.6422.60 for Linux to address type confusion in V8 engine.

-

Google has issued an emergency security update for Chrome to address a third zero-day vulnerability exploited in attacks within a week. The company acknowledges the existence of an exploit for CVE-2024-4947 in the wild, according to a security advisory. The flaw has been fixed in versions 125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 for Linux. These updates will be rolled out to all users in the Stable Desktop channel over the coming weeks. 

This is the second security patch from Google in as many days. Earlier this week the company sent a fix out for a Chrome flaw that could lead to unauthorized data access. The update was to address a high-severity zero-day vulnerability, identified as CVE-2024-4761, which has been actively exploited in attacks.

Automatic and Manual Updates

Chrome updates automatically when new security patches are available. However, users can manually verify they are running the latest version by navigating to Chrome menu > Help > About Google Chrome. Once the update is complete, users should click the ‘Relaunch’ button to install it. BleepingComputer confirmed that the update was immediately available when checked.

Details of the Vulnerability

The high-severity zero-day vulnerability, identified as CVE-2024-4947, is caused by a type confusion weakness in the Chrome V8 JavaScript engine. This flaw was reported by Kaspersky researchers Vasily Berdnikov and Boris Larin. Such vulnerabilities typically allow threat actors to cause browser crashes by reading or writing memory out of buffer bounds. However, they can also be exploited for arbitrary code execution on targeted devices.

Google has confirmed that this bug was used in attacks but has not yet provided detailed information about these incidents. The company states that access to bug details and links may remain restricted until most users have received the fix. Restrictions will also be maintained if the bug exists in a third-party library that other projects depend on and have not yet fixed.

Seven Zero-Days Patched in 2024

This latest vulnerability marks the seventh zero-day flaw patched in Chrome since the beginning of the year. The list of zero-days addressed in 2024 includes:

  • CVE-2024-0519: A high-severity out-of-bounds memory access issue in the Chrome V8 JavaScript engine, allowing remote attackers to exploit heap corruption via a specially crafted HTML page, leading to unauthorized access to sensitive information.
  • CVE-2024-2887: A high-severity type confusion flaw in the WebAssembly (Wasm) standard, potentially leading to remote code execution (RCE) exploits through a crafted HTML page.
  • CVE-2024-2886: A use-after-free vulnerability in the Web
SourceGoogle
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.