Google Warns of Exploited Chrome Vulnerability

Share This Post

Less than a week after releasing Chrome 128 to the stable channel to address a zero-day vulnerability, Google warns that another bug resolved with the update is being exploited in the wild.

The issue, tracked as CVE-2024-7965 (CVSS score of 8.8), is described as an inappropriate implementation in the V8 JavaScript engine that allows a remote attacker to exploit heap corruption via crafted HTML pages.

Essentially, if the victim visits a compromised or malicious web page, the vulnerability could allow the attacker to execute code or access sensitive information.

Google notes in its updated advisory that the in-the-wild exploitation of the security defect was reported after the browser update was released, but did not make it clear whether the flaw was exploited as a zero-day.

CVE-2024-7965 affects Chrome releases before version 128.0.6613.84, which was released last week with patches for 37 vulnerabilities, including CVE-2024-7971, a type confusion bug in V8 that was exploited as a zero-day.

The US cybersecurity agency CISA added the zero-day to its Known Exploited Vulnerabilities (KEV) catalog on Monday, warning that it could affect web browsers that utilize Chromium, such as Chrome, Edge, and Opera.

CISA says it has evidence of CVE-2024-7971 being exploited in the wild, without providing details on the observed attacks. 

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warns.

Advertisement. Scroll to continue reading.

With the flaw added to KEV, federal agencies have until September 16 to identify vulnerable instances in their environments and apply the available patches, as Binding Operational Directive (BOD) 22-01 mandates.

Although BOD 22-01 only applies to federal agencies, all organizations are advised to prioritize applying patches for the vulnerabilities listed in the KEV catalog.

Related: Google Patches Sixth Exploited Chrome Zero-Day of 2024

Related: SolarWinds Axes Hardcoded Credentials With Hotfix for Exploited Web Help Desk Flaw

Related: Selenium Grid Instances Exploited for Cryptomining

Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .