Zero-day vulnerabilities have been keeping Chromium developers busy since the new Chrome 128 dropped. External researchers found four high-risk zero-day vulnerabilities in the Chromium code, which Google just patched.
The Google Chrome team published an update for the stable version of Google Chrome on the Chrome Releases blog. Two security fixes addressed the Skia graphics library (which Chrome and Chromium use to render graphics). They’re labeled CVE-2024-8198 and CVE-2024-8193, both classified as high risk. The other two bugs were found inside Chrome V8, the engine that runs Javascript code in the browser. Devs have patched V8 issues CVE-2024-7969 and CVE-2024-8194.
Google only included limited information on what exactly these bugs are and how they can be exploited. The update page reads, “access to bug details and links may be kept restricted until a majority of users are updated with a fix.”
These security fixes come with the latest release of Google Chrome, version 128. It is slowly rolling out to everyone, along with a security patch for a bug that was fixed last week. External researchers were able to report all five vulnerabilities before any security incidents in the wild.
You can check if your browser has already auto-updated to the latest version by opening Chrome settings and heading over to the About tab. It should read “28.0.6613.113/.114” for Windows and Mac computers, and “128.0.6613.113” on Linux machines. As soon as you open the About tab, Chrome should automatically download the latest version and give you a “Relaunch” button to install the update.
Other Chromium-based browsers, Brave, Microsoft Edge, Opera, DuckDuckGo, and Vivaldi, have yet to get these four security patches. Microsoft Edge is on Chromium 128.0.2739.42 and Brave is running 128.0.6613.85. The last update for Microsoft Edge came out 7 days ago, and Brave’s most recent release notes date back 5 days. Opera is still on Chromium 127.0.6533.120, which came out August 22.
Source: Chrome Releases Blog