Google on Tuesday launched updates to repair 4 safety points in its Chrome browser, together with an actively exploited zero-day flaw.
The difficulty, tracked as CVE-2024-0519, issues an out-of-bounds reminiscence entry within the V8 JavaScript and WebAssembly engine, which might be weaponized by menace actors to set off a crash.
“By studying out-of-bounds reminiscence, an attacker would possibly be capable of get secret values, comparable to reminiscence addresses, which might be bypass safety mechanisms comparable to ASLR as a way to enhance the reliability and chance of exploiting a separate weak point to attain code execution as an alternative of simply denial of service,” in keeping with MITRE’s Frequent Weak point Enumeration (CWE).
Extra particulars in regards to the nature of the assaults and the menace actors which may be exploiting it have been withheld in an try to stop additional exploitation. The difficulty was reported anonymously on January 11, 2024.
“Out-of-bounds reminiscence entry in V8 in Google Chrome previous to 120.0.6099.224 allowed a distant attacker to doubtlessly exploit heap corruption through a crafted HTML web page,” reads an outline of the flaw on the NIST’s Nationwide Vulnerability Database (NVD).
The event marks the primary actively exploited zero-day to be patched by Google in Chrome in 2024. Final 12 months, the tech big resolved a complete of 8 such actively exploited zero-days within the browser.
Customers are really helpful to improve to Chrome model 120.0.6099.224/225 for Home windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.
Customers of Chromium-based browsers comparable to Microsoft Edge, Courageous, Opera, and Vivaldi are additionally suggested to use the fixes as and after they turn out to be accessible.
