Google Chrome: Fourth abused zero-day vulnerability in two weeks
Google closes a zero-day vulnerability in the Chrome web browser, which is already under attack. The fourth in two weeks.
Google once again has to seal a zero-day gap in the Chrome web browser with an emergency update out of turn. An exploit for this is already circulating in the wild - the fourth time this has happened in the past two weeks. Anyone using Chromium-based web browsers should quickly check whether an update is available and install it.
In the version announcement, the Chrome developers write that the vulnerability is caused by a "type confusion" in the Javascript engine V8. This means that the data types actually used do not match those intended in the program code, which can lead to access to memory areas not intended for this purpose and, in some cases, the execution of malicious code. The CVE entry has not yet been published, but this vulnerability can probably be exploited by displaying a carefully crafted web page (CVE-2024-5274, no CVSS value,"high" risk according to Google).
Chrome zero-day vulnerability already attacked
"Google is aware that an exploit for CVE-2024-5274 exists in the wild," the authors write in the press release. As the vulnerability was discovered by Clément Lecigne from Google's Threat Analysis Group (TAG), among others, this indicates that attacks are already underway. Google's TAG usually examines attacks that have already taken place for security vulnerabilities.
The current versions of Google Chrome that correct the bug are 125.0.6422.112/.113 for Android, 125.0.6422.112 for Linux and 125.0.6422.112/.113 for macOS and Windows. In addition, the extended stable version with the number 124.0.6367.233 under macOS and Windows is up to date.
Version check
The version dialog, which can be found in the browser's settings menu behind the icon with the three stacked dots, tells you whether Chrome is up to date. It can be accessed there under "Help" - "About Google Chrome". It shows the currently running software version and starts the update process when available.
On Linux, the software management of the distribution used is usually responsible for updating the Chrome browser. The vulnerability affects the Chromium browser, on which other web browsers such as Microsoft's Edge are also based. Urgent updates should therefore also be available for these shortly, which users should apply quickly.
In the past two weeks, Google has already had to seal three other zero-day vulnerabilities in the Chromium browser. They were also attacked with exploits.