Today, Google revealed that it has patched the tenth zero-day flaw that was exploited in the wild in 2024 by attackers or security researchers during hacking competitions.
Tracked as CVE-2024-7965 and reported by a security researcher known only as TheDog, the now-patched high-severity vulnerability is described as an improper implementation in Google Chrome’s V8 JavaScript engine that could allow remote attackers to exploit heap corruption via a specially crafted HTML page.
This was announced in an update to a blog post where the company revealed last week that it had fixed another high-severity zero-day vulnerability (CVE-2024-7971) caused by a V8-like confusion weakness.
“Updated on August 26, 2024 to address exploitation of CVE-2024-7965 that was reported after this release,” the company said in today’s update. “Google is aware that security vulnerabilities for CVE-2024-7971 and CVE-2024-7965 exist in the wild.”
Google fixed the two zero-days in Chrome version 128.0.6613.84/.85 for Windows/macOS systems and version 128.0.6613.84 for Linux users, which have been rolling out to all Stable Desktop channel users since Wednesday.
Although Chrome automatically updates when security patches are available, you can also speed up this process and apply updates manually by going to Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the “Restart” button to install it.
Although Google has confirmed that CVE-2024-7971 and CVE-2024-7965 vulnerabilities have been used in the wild, it has not yet shared further information regarding these attacks.
“Access to bug details and links may be restricted until a majority of users are notified of a fix,” Google says.
“We will also maintain restrictions if the bug exists in a third-party library that other projects similarly depend on, but has not yet been fixed.”
Since the beginning of the year, Google has fixed eight other zero-days reported to be exploited in attacks or in the Pwn2Own hacking contest:
- CVE-2024-0519:A high-severity out-of-bounds memory access vulnerability in the Chrome V8 JavaScript engine, allowing remote attackers to exploit heap corruption via a crafted HTML page, leading to unauthorized access to sensitive information.
- CVE-2024-2887:A high severity type confusion vulnerability in the WebAssembly (Wasm) standard. It could lead to remote code execution (RCE) exploits leveraging a specially crafted HTML page.
- CVE-2024-2886:A use after free vulnerability in the WebCodecs API used by web applications to encode and decode audio and video files. Remote attackers exploited this to perform arbitrary reads and writes via specially crafted HTML pages, leading to remote code execution.
- CVE-2024-3159:A high severity out-of-bounds read vulnerability in the JavaScript engine of Chrome V8. Remote attackers exploited this flaw by using specially crafted HTML pages to access data beyond the allocated buffer, resulting in heap corruption that could be exploited to extract sensitive information.
- CVE-2024-4671:A high severity use-after-free vulnerability in the Visuals component that handles rendering and displaying content in the browser.
- CVE-2024-4761:An out-of-bounds write issue in Chrome’s V8 JavaScript engine, which is responsible for executing JS code in the application.
- CVE-2024-4947: Type confusion weakness in the Chrome V8 JavaScript engine allowing arbitrary code execution on the target device.
- CVE-2024-5274:A type confusion in Chrome’s V8 JavaScript engine that may lead to crashes, data corruption, or arbitrary code execution
