Right now, Google revealed that it patched the tenth zero-day exploited within the wild in 2024 by attackers or safety researchers throughout hacking contests.
Tracked as CVE-2024-7965 and reported by a safety researcher recognized solely as TheDog, the now-patched high-severity vulnerability is brought on by a bug within the compiler backend when choosing the directions to generate for just-in-time (JIT) compilation.
Google describes the vulnerability as an inappropriate implementation in Google Chrome’s V8 JavaScript engine that can let distant attackers exploit heap corruption by way of a crafted HTML web page.
This was introduced in an replace to a weblog submit the place the corporate revealed final week that it had mounted one other high-severity zero-day vulnerability (CVE-2024-7971) brought on by a V8 sort confusion weak point.
“Up to date on 26 August 2024 to replicate the within the wild exploitation of CVE-2024-7965 which was reported after this launch,” the corporate stated in immediately’s replace. “Google is conscious that exploits for CVE-2024-7971 and CVE-2024-7965 exist within the wild.”
Google has mounted each zero-days in Chrome model 128.0.6613.84/.85 for Home windows/macOS programs and model 128.0.6613.84 Linux customers, which have been rolling out to all customers within the Steady Desktop channel since Wednesday.
Regardless that Chrome will robotically replace when safety patches are out there, you may as well pace up this course of and apply the updates manually by going to the Chrome menu > Assist > About Google Chrome, letting the replace end, and clicking the ‘Relaunch’ button to put in it.
Whereas Google confirmed that the CVE-2024-7971 and CVE-2024-7965 vulnerabilities have been used within the wild, it has but to share extra data relating to these assaults.
“Entry to bug particulars and hyperlinks could also be saved restricted till a majority of customers are up to date with a repair,” Google says.
“We can even retain restrictions if the bug exists in a 3rd get together library that different tasks equally rely on, however have not but mounted.”
For the reason that begin of the 12 months, Google has patched eight different zero-days tagged as exploited in assaults or through the Pwn2Own hacking contest:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak point throughout the Chrome V8 JavaScript engine, permitting distant attackers to use heap corruption by way of a specifically crafted HTML web page, resulting in unauthorized entry to delicate data.
- CVE-2024-2887: A high-severity sort confusion flaw within the WebAssembly (Wasm) customary. It might result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by net functions to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes by way of crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability brought on by an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry information past the allotted reminiscence buffer, leading to heap corruption that might be leveraged to extract delicate data.
- CVE-2024-4671: A high-severity use-after-free flaw within the Visuals element that handles the rendering and displaying content material within the browser.
- CVE-2024-4761: An out-of-bounds write drawback in Chrome’s V8 JavaScript engine, which is chargeable for executing JS code within the software.
- CVE-2024-4947: Sort confusion weak point within the Chrome V8 JavaScript engine enabling arbitrary code execution on the goal system.
- CVE-2024-5274: A kind confusion Chrome’s V8 JavaScript engine that may result in crashes, information corruption, or arbitrary code execution