Google on Tuesday launched updates to repair 4 safety points in its Chrome browser, together with an actively exploited zero-day flaw.
The problem, tracked as CVE-2024-0519, issues an out-of-bounds reminiscence entry within the V8 JavaScript and WebAssembly engine, which will be weaponized by risk actors to set off a crash.
“By studying out-of-bounds reminiscence, an attacker may be capable to get secret values, equivalent to reminiscence addresses, which will be bypass safety mechanisms equivalent to ASLR as a way to enhance the reliability and chance of exploiting a separate weak spot to realize code execution as an alternative of simply denial of service,” in response to MITRE’s Frequent Weak point Enumeration (CWE).
Extra particulars in regards to the nature of the assaults and the risk actors that could be exploiting them have withheld in an try to stop additional exploitation. The problem was reported anonymously on January 11, 2024.
“Out-of-bounds reminiscence entry in V8 in Google Chrome previous to 120.0.6099.224 allowed a distant attacker to doubtlessly exploit heap corruption by way of a crafted HTML web page,” reads a description of the flaw on the NIST’s Nationwide Vulnerability Database (NVD).
The event marks the primary actively exploited zero-day to be patched by Google in Chrome in 2024. Final yr, the tech big resolved a complete of 8 such actively exploited zero-days within the browser.
Customers are beneficial to improve to Chrome model 120.0.6099.224/225 for Home windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.
Customers of Chromium-based browsers equivalent to Microsoft Edge, Courageous, Opera, and Vivaldi are additionally suggested to use the fixes as and after they turn into out there.