Google has taken swift action by releasing updates to address four security issues in its Chrome browser, notably resolving an actively exploited zero-day vulnerability. The identified flaw, tracked as CVE-2024-0519, revolves around an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine. Threat actors can leverage this vulnerability to trigger system crashes or potentially gain access to secret values, as outlined by MITRE’s Common Weakness Enumeration (CWE). The ability to read out-of-bounds memory allows attackers to obtain sensitive information, enhancing the likelihood of exploiting other weaknesses for code execution.
While specific details about the nature of the attacks and the responsible threat actors are deliberately withheld to prevent further exploitation, the issue was reported anonymously on January 11, 2024. Described on the NIST’s National Vulnerability Database (NVD), the flaw in V8 prior to version 120.0.6099.224 could be exploited remotely via a crafted HTML page, potentially leading to heap corruption. Notably, this marks the first actively exploited zero-day patched by Google in Chrome for 2024, with the tech giant having addressed eight similar instances in the browser the previous year.
Google emphasizes the urgency for users to upgrade to the latest Chrome versions (120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux) to mitigate potential threats stemming from the zero-day vulnerability. Additionally, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are advised to apply fixes as they become available. The rapid response underscores the ongoing commitment to addressing security concerns promptly and ensuring users are protected against potential exploits in the evolving landscape of cyber threats.
