Again, Google has moved swiftly to address a critical vulnerability in its widely-used Chrome web browser, releasing an urgent security update on Thursday to neutralize an actively exploited zero-day flaw. This marks the fourth vulnerability to be patched within two weeks, underscoring the ongoing battle against cyber threats targeting popular software.
Exploited Vulnerability Triggers Emergency Response
The high-severity vulnerability, tracked as CVE-2024-5274, is a type confusion flaw residing within the V8 JavaScript and WebAssembly engine, a core component of the Chrome browser. Google acknowledged that an exploit for this vulnerability already exists in the wild, posing a significant risk to users.
While Google refrained from divulging specific details about the vulnerability or its active exploitation to safeguard users, the company swiftly credited Clement Lecigne of Google’s Threat Analysis Group (TAG) and Brendon Tiszka of Chrome Security for reporting the flaw. No bug bounty reward will be awarded for this discovery.
Chrome vulnerabilities, particularly zero-days, have long been a target for commercial surveillance software vendors and other malicious actors. Google’s TAG researchers have previously reported several instances of zero-days being exploited by spyware vendors, highlighting the persistent threats posed to the popular browser.
A Flurry of Patches in Recent Weeks
The patching of CVE-2024-5274 marks the fourth Chrome zero-day to be addressed within the last 15 days, following the resolution of CVE-2024-4671 (use-after-free in Visuals), CVE-2024-4761 (out-of-bounds write in V8), and CVE-2024-4947 (type confusion in V8). In total, Google has resolved eight Chrome zero-days so far this year, with three of them being demonstrated at the prestigious Pwn2Own Vancouver 2024 hacking contest in March.
Prompt Updating Recommended
The latest Chrome iteration, addressing CVE-2024-5274, is now rolling out as version 125.0.6422.112 for Linux and version 125.0.6422.112/.113 for Windows and macOS. Google has also released Chrome for Android versions 125.0.6422.112/.113 with the same security fixes. Users are strongly advised to update their Chrome browsers immediately to safeguard against potential exploitation of this critical vulnerability.