Here we go again. Google Chrome is pushing an emergency update to patch an actively-exploited zero-day vulnerability. You should install the update immediately, as failure to do so will leave your system exposed to a high-severity attack.
The vulnerability in question—CVE-2024-7971—extends from a type confusion flaw in Chrome’s V8 JavaScript engine. Malicious actors are actively exploiting this flaw to leverage arbitrary code execution on targeted Windows, macOS, and Linux devices, according to Google. The bug may also exist in “a third-party library” utilized by other apps, though this hasn’t been confirmed.
Researchers at the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) discovered and reported CVE-2024-7971 on August 19th. Predictably, Microsoft and Google have kept the “bug details” close to their chest. We won’t know the full story behind this flaw until a majority of Chrome users have installed Google’s patch. It could be an especially long wait if the flaw exists in third-party JavaScript libraries.
This is the ninth Chrome zero-day to be patched by Google in 2024. While the large number of zero-day disclosures is somewhat concerning, we should be careful to avoid survivorship bias. Increased zero-day identification could extend from poor security practices at Google, but the simpler and more reasonable explanation is that White Hat efforts have grown more effective.
Note that Chrome’s emergency update contains a total of 38 security fixes, including some of a very low severity. You can view the full list at Google’s Chrome Releases blog.
The patch for CVE-2024-7971 is included in Google Chrome versions 128.0.6613.84 (Windows and Linux) and 128.0.6613.85 (macOS). To check your current Chrome version, go to Settings, enter “Help,” and navigate to “About Google Chrome.” You’ll see an option to manually update Chrome if the update hasn’t been installed on your system.
Source: Google via BleepingComputer
