Google Patches Tenth Zero-Day Exploited in 2024
Google has patched its tenth zero-day vulnerability exploited in the wild in 2024, identified as CVE-2024-7965. The vulnerability, discovered by a security researcher known as TheDog, is classified as a high-severity issue stemming from an inappropriate implementation in Chrome’s V8 JavaScript engine. This flaw could allow remote attackers to exploit heap corruption via a specially crafted HTML page, leading to potentially severe consequences such as unauthorized access or remote code execution.
Details of the Vulnerability
CVE-2024-7965 is a critical flaw related to how Chrome’s V8 engine handles certain JavaScript code execution scenarios. This vulnerability could be exploited by attackers who lure users to maliciously crafted websites, triggering heap corruption and allowing the execution of arbitrary code or other malicious activities on the victim’s device.
This vulnerability is similar to another recently patched zero-day, CVE-2024-7971, which also involves the V8 engine and has been exploited in the wild. Both of these vulnerabilities have been fixed in the latest Chrome update.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Patching and Updates
Google addressed CVE-2024-7965 and CVE-2024-7971 in Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux. The updates have been rolling out automatically to users in the Stable Desktop channel since Wednesday. Users are strongly encouraged to ensure their browsers are up-to-date by navigating to Chrome menu > Help > About Google Chrome and following the prompts to install the latest version.
Context of Other Zero-Days Patched in 2024
Throughout 2024, Google has been actively patching zero-day vulnerabilities, many of which have been exploited in the wild or during high-profile hacking contests like Pwn2Own. The list of patched vulnerabilities includes various flaws within Chrome’s V8 engine, WebAssembly standard, WebCodecs API, and other critical components of the browser:
- CVE-2024-0519: Out-of-bounds memory access in V8, leading to heap corruption.
- CVE-2024-2887: Type confusion in WebAssembly, leading to potential RCE.
- CVE-2024-2886: Use-after-free in WebCodecs API, enabling remote code execution.
- CVE-2024-3159: Out-of-bounds read in V8, resulting in data leakage.
- CVE-2024-4671: Use-after-free in the Visuals component.
- CVE-2024-4761: Out-of-bounds write in V8.
- CVE-2024-4947: Type confusion in V8, leading to arbitrary code execution.
- CVE-2024-5274: Another type confusion in V8 causing crashes or data corruption.
These vulnerabilities, particularly those in the V8 JavaScript engine, demonstrate the high level of scrutiny that Chrome’s core components face from both attackers and security researchers.
Trending: Digital Forensics Tool: Horus
Implications and Recommendations
The rapid discovery and exploitation of these vulnerabilities underscore the importance of keeping software up-to-date. Google has not disclosed specific details about the exploitation of CVE-2024-7965 and CVE-2024-7971 to protect users until the majority have applied the necessary patches.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
