Google Patches Fourth Chrome Zero-Day in Two Weeks

 

Google released a new Chrome update on Thursday to address another exploited vulnerability in the popular web browser, marking the fourth zero-day fix within just two weeks. This high-severity flaw, identified as CVE-2024-5274, is categorized as a type confusion issue in the V8 JavaScript and WebAssembly engine.

In an official advisory, Google acknowledged the presence of an active exploit for CVE-2024-5274 but did not provide specific details about the bug or its exploitation. The vulnerability was reported by Clement Lecigne from Google’s Threat Analysis Group (TAG) and Brendon Tiszka from Chrome Security, though no bug bounty reward will be issued for this discovery.

Chrome vulnerabilities are frequently targeted by commercial surveillance software vendors. Google's TAG has previously identified several zero-day exploits used by spyware vendors, including security flaws in Chrome itself. The swift identification and patching of these vulnerabilities underscore the ongoing battle against sophisticated cyber threats.

CVE-2024-5274 is the latest in a series of vulnerabilities patched by Google. Within the last 15 days, Google has addressed three other significant flaws: CVE-2024-4671 (use-after-free in Visuals), CVE-2024-4761 (out-of-bounds write in V8), and CVE-2024-4947 (another type confusion in V8). This brings the total number of Chrome zero-days resolved this year to eight. Among these, CVE-2024-2886, CVE-2024-2887, and CVE-2024-3159 were demonstrated at the Pwn2Own Vancouver 2024 hacking contest in March.

The latest Chrome update is now available as version 125.0.6422.112 for Linux and versions 125.0.6422.112/.113 for Windows and macOS. Additionally, Google announced the release of Chrome for Android versions 125.0.6422.112/.113, which includes the same security fixes.

As cyber threats continue to evolve, it remains crucial for users to keep their software up-to-date. Google's rapid response to these vulnerabilities highlights the importance of vigilance in cybersecurity.