Information security

Security vulnerability in Google Chrome

Google Chrome: Security vulnerability is being exploited in the wild

Google is updating the Chrome web browser. The update closes high-risk security gaps. One of them is already being abused.

Google's developers are closing several security gaps with an update to the Chrome web browser, one of which is already being attacked in the wild. In total, the new version seals four security vulnerabilities. Anyone using Chrome or browsers based on it should apply the update as soon as possible.

Four vulnerabilities in Chrome

According to Google's release notification, the vulnerability that has already been attacked is a memory access outside the intended limits in the JavaScript engine V8 (CVE-2024-0519, no CVSS value,"high" risk according to Google). In addition, attackers can abuse a "type confusion" vulnerability in V8 with manipulated websites, for example, whereby passed data types do not match those provided in the program code, which can also lead to access to memory areas not intended for this purpose (CVE-2024-0518, no CVSS value, high).

Write access outside the memory limits is possible through another vulnerability in the V8 engine - the reporter of the gap will even receive a reward of 16,000 US dollars from Google (CVE-2024-0517, no CVSS value, high). Google has not provided any information on the fourth vulnerability, as it has apparently not been reported by external IT security researchers.

The errors correct the versions Chrome 120.0.6099.230 for Android, 120.0.6099.224 for Linux, 120.0.6099.234 for macOS and 120.0.6099.224/225 for Windows. The Extended Stable version for macOS and Windows also have these version numbers.

Checking the active software version

You can check whether the current and bug-fixed version of Google Chrome is already running in the version dialog. This shows the current software version and starts the update process if required.

The dialog can be opened by clicking on the icon with the three vertically stacked dots and then clicking "Help" - "About Google Chrome". If you use Chrome in Linux, you should start the software management of the distribution used and search for the update. As the Chromium browser and its JavaScript engine also serve as the basis for other web browsers such as Microsoft's Edge, users of these browsers should also check whether an update is already available and apply it.

In last week's regular Chrome update, the developers fixed a security vulnerability. It was also considered a high risk.

 

Found at: Google Chrome: Security vulnerability is being exploited in the wild | heise online