Article Details

Google fixes ninth Chrome zero-day exploited in attacks this year. ​​Today, Google released a new Chrome emergency security update to patch a zero-day vulnerability tagged as exploited in attacks. "Google is aware that an exploit for CVE-2024-7971 exists in the wild," the company said in an advisory published on Wednesday. This high-severity zero-day vulnerability is caused by a type confusion weakness in Chrome's V8 JavaScript engine. Security researchers with the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) reported it on Monday. Although such security flaws can commonly enable attackers to trigger browser crashes after data allocated into memory is interpreted as a different type, they can also exploit them for arbitrary code execution on targeted devices running unpatched browsers. Google has fixed the zero-day with the release of 128.0.6613.84/.85 for Windows/macOS and 128.0.6613.84 (Linux), versions that will roll out to all users in the Stable Desktop channel over the coming weeks. While Chrome updates automatically when security patches are available, users can also speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the 'Relaunch' button to install it. Today's update was immediately available when BleepingComputer looked for new updates today. ​Even though Google confirmed the CVE-2024-7971 vulnerability was used in attacks, the company has yet to share additional information regarding in-the-wild exploitation. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed." CVE-2024-7971 is the ninth Chrome zero-day patched by Google in 2024, either exploited in the wild or at the Pwn2Own hacking contest: