Chrome Zero-day Vulnerability Actively Exploited in the Wild

Google has announced the release of Chrome 128 to the stable channel for Windows, Mac, and Linux.

This update, Chrome 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac addresses a critical zero-day vulnerability actively exploited in the wild.

The update includes 38 security fixes, with particular attention to those contributed by external researchers.

Details of the Zero-Day Vulnerability

The Chrome team has been working diligently to address a zero-day vulnerability that has been actively exploited.

The vulnerability, CVE-2024-7971, involves type confusion in V8, Chrome’s open-source JavaScript engine.

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported this flaw on August 19, 2024.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

While the specific details of the exploit remain restricted to protect users, the fix’s urgency underscores the vulnerability’s potential severity.

The Chrome team has emphasized that access to bug details and links will remain restricted until most users have updated their browsers.

This precaution ensures that users are protected before the vulnerability details are public, preventing further exploitation.

In addition to the zero-day vulnerability, the Chrome 128 update includes a wide range of security fixes.

Below is a table summarizing the key vulnerabilities addressed in this update:

Bounty	CVE ID	Severity	Description	Reported On
$36,000	CVE-2024-7964	High	Use after free in Passwords	2024-08-08
$11,000	CVE-2024-7965	High	Inappropriate implementation in V8	2024-07-30
$10,000	CVE-2024-7966	High	Inappropriate Implementation in Permissions	2024-07-25
$7,000	CVE-2024-7967	High	Heap buffer overflow in Fonts	2024-07-27
$1,000	CVE-2024-7968	High	Use after free in Autofill	2024-06-25
TBD	CVE-2024-7969	High	Type Confusion in V8	2024-07-09
TBD	CVE-2024-7971	High	Type confusion in V8	2024-08-19
$11,000	CVE-2024-7972	Medium	Inappropriate implementation in V8	2024-06-10
$7,000	CVE-2024-7973	Medium	Heap buffer overflow in PDFium	2024-06-06
$3,000	CVE-2024-7974	Medium	Insufficient data validation in V8 API	2024-05-07
$3,000	CVE-2024-7975	Medium	Insufficient data validation in the Installer	2024-06-16
$2,000	CVE-2024-7976	Medium	Inappropriate implementation in FedCM	2024-05-10
$1,000	CVE-2024-7977	Medium	Insufficient Policy Enforcement in Data Transfer	2024-02-11
$1,000	CVE-2024-7978	Medium	Insufficient data validation in the Installer	2022-07-21
TBD	CVE-2024-7979	Medium	Insufficient data validation in the Installer	2024-07-29
TBD	CVE-2024-7980	Medium	Inappropriate Implementation in Views	2024-07-30
$1,000	CVE-2024-7981	Low	Inappropriate Implementation in WebApp Installs	2023-07-14
$500	CVE-2024-8033	Low	Inappropriate implementation in WebApp Installs	2024-06-30
$500	CVE-2024-8034	Low	Inappropriate implementation in Custom Tabs	2024-07-18
TBD	CVE-2024-8035	Low	Inappropriate implementation in Extensions	2022-04-26

The Chrome team is committed to ensuring user safety and has expressed gratitude to the security researchers who contributed to these fixes.

Users are strongly encouraged to update their browsers to the latest version to protect against these vulnerabilities.

Google also plans to release more information about new features and major efforts in upcoming blog posts for Chrome and Chromium.

As cyber threats evolve, timely updates and collaboration with the security community remain crucial in safeguarding users worldwide.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial