Google Chrome: further security vulnerability can be closed with update

Chrome: Another zero-day vulnerability closed with update

Google is updating the Chrome web browser for the third time in a week. Once again, an exploit for a zero-day vulnerability is circulating in it.

Google is once again releasing an emergency security update for the Chrome web browser. An exploit for a new zero-day vulnerability in the browser is once again circulating in the wild. The provider is also making the version jump to the 125 development branch.

In the version announcement, Google's developers write that the new version seals a total of nine security vulnerabilities. They only provide brief information on four of them, five of which were found internally. Two were classified as high risk, one as medium and one as low threat.

Zero-day vulnerability with exploit

One type-confusion vulnerability affects the Javascript engine V8. Here, processed data types do not match those provided in the program code, which can lead to memory limits being exceeded and, in some cases, to the execution of subverted code. In this case, attackers can abuse the vulnerability, for example with a maliciously manipulated website, to execute arbitrary code within a sandbox(CVE-2024-4947, no CVSS value, risk"high" according to Google). Google is aware of exploits for this vulnerability that are circulating in the wild.

The new versions also close a use-after-free vulnerability in the Dawn browser component (CVE-2024-4948, high) and one in the V8 JavaScript engine (CVE-2024-4949, medium) as well as an inappropriate implementation in downloads (CVE-2024-4950, low).

The secured browser versions are now Chrome 125.0.6422.53 for Android, 125.0.6422.60 for Linux and 125.0.6422.60/.61 for macOS and Windows. The extended stable version has also been updated to 124.0.6367.221 for macOS and Windows. Anyone using Google Chrome should ensure that the latest version is installed and active.

Ensure that the latest version is running

The Google Chrome version dialog shows the current software version and starts the update process if necessary. Users can get there by clicking on the web browser's settings menu, which is located behind the icon with the three stacked dots to the right of the address bar, and continuing via "Help" - "About Google Chrome".

If you use Chrome under Linux, you usually start the software management of the distribution used to search for updates. As the errors affect the Chromium web browser, on which other browsers such as Microsoft's Edge are also based, an update should also be available shortly for the other derived web browsers. Users should install this immediately.

There is currently an unusual accumulation of exploits in circulation that can be used to attack previously unknown vulnerabilities in Chrome, so-called zero-day vulnerabilities. Google had already released emergency updates on Friday last week and Tuesday this week to patch such vulnerabilities.

Found on https://www.heise.de/news/Chrome-Weitere-Zero-Day-Luecke-mit-Update-geschlossen-9720152.html