Google has revealed that there is ongoing use of a security flaw fixed in a Chrome browser software update that was exploited last week due to an implementation error.
Google has disclosed that a security vulnerability addressed in a software update for its Chrome browser that was released last week is being actively exploited in the wild.
The vulnerability, identified as CVE-2024-7965, is characterized as an improper implementation error in the WebAssembly and JavaScript engines of version 8.
A summary of the bug in the NIST National Vulnerability Database (NVD) states that “inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.”
It has been reported that a security researcher going by the online alias TheDog found and reported the vulnerability on July 30, 2024, for which they were awarded a $11,000 bug reward.
No more information has been made public regarding the type of attacks taking advantage of the vulnerability or who the potential threat actors are. Nonetheless, the IT behemoth admitted that it is aware of a CVE-2024-7965 exploit.
It further stated that “in the wild exploitation of CVE-2024-7965 […] was reported after this release.” Nevertheless, it’s unclear at this time whether the vulnerability was used as a weaponized zero-day before it was made public last week.
Since the beginning of 2024, Google has fixed nine zero-days in Chrome, including three that were shown during Pwn2Own 2024:
CVE-2024-0519: Out-of-bounds memory access in V8
CVE-2024-2886: Use-after-Free in WebCodecs (demonstrated at Pwn2Own 2024)
CVE-2024-2887: Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
CVE-2024-3159: Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
CVE-2024-4671: Use-after-Free in Visuals
CVE-2024-4761: Out-of-bounds write in V8
CVE-2024-4947: Type confusion in V8
CVE-2024-5274: Type confusion in V8
CVE-2024-7971: Type confusion in V8
Users are highly encouraged to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to mitigate potential threats.
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
