Overview of the Security Flaw
Google has released critical security updates to fix a serious vulnerability in its Chrome browser. This flaw, which has been actively exploited, affects the V8 JavaScript and WebAssembly engine. The vulnerability, identified as CVE-2024-7971, is a type misunderstanding issue that has been classified as high-severity.
You might be interested in: Google Pixel Devices Shipped with Security Flaw
Details of the Vulnerability
The bug, described as a “type confusion” in the V8 engine, affects Chrome versions prior to 128.0.6613.84. This flaw allowed attackers to remotely cause heap corruption using specially crafted HTML pages. The National Vulnerability Database (NVD) has documented this issue, emphasizing its potential for serious harm.
The vulnerability was reported by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) on August 19, 2024. However, specific details about the attacks or the identities of those responsible have not been disclosed, likely to ensure that most users can apply the fix before more information is made public.
Google’s Response
Google confirmed the existence of an active exploit for CVE-2024-7971 but provided limited information to protect users. Notably, this is the third type confusion flaw in V8 that Google has addressed in 2024, following CVE-2024-4947 and CVE-2024-5274.
So far in 2024, Google has resolved nine zero-day vulnerabilities in Chrome, including several demonstrated at the Pwn2Own 2024 conference:
- CVE-2024-0519ย – Out-of-bounds memory access in V8
- CVE-2024-2886ย – Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
- CVE-2024-2887ย – Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
- CVE-2024-3159ย – Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
- CVE-2024-4671ย – Use-after-free in Visuals
- CVE-2024-4761ย – Out-of-bounds write in V8
- CVE-2024-4947ย – Type confusion in V8
- CVE-2024-5274ย – Type confusion in V8
What You Should Do
To stay safe, users should update their Chrome browsers to version 128.0.6613.84/.85 on Windows and macOS, and version 128.0.6613.84 on Linux. Additionally, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should apply the latest patches as soon as they become available.
Upgrading to these versions is strongly advised to avoid potential risks associated with this and other vulnerabilities.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.