New Chrome zero-day actively exploited, patch quickly! (CVE-2024-7971)
A new Chrome zero-day vulnerability (CVE-2024-7971) exploited by attackers in the wild has been fixed by Google.
About CVE-2024-7971
CVE-2024-7971 is a high-severity vulnerability caused by a type confusion weakness in V8, the open-source JavaScript and WebAssembly engine developed by Google for the Chromium and Google Chrome web browsers.
“In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access,” Mitre explains the problem. (V8 is written in C++.)
As per usual, Google did not provide access to bug details and links – it’s holding off until most users are updated with a fix. The vulnerability’s NVD entry says that the flaw “allowed a remote attacker to exploit heap corruption via a crafted HTML page.”
The vulnerability has been reported by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC), presumably after discovering the attacks.
Fixing CVE-2024-7971
Google has fixed CVE-2024-7971 and delivered 37 additional security fixes in Chrome v128.0.6613.84/.85 (for Windows and Mac) and v128.0.6613.84 (Linux).
Users are advised to upgrade their Chrome installation if they don’t have the automatic updating option switched on.
Fixes for security holes in V8 are usually propagated to Microsoft’s Edge browser quickly, as the browser uses the Blink and V8 engines developed by the Chromium team. “We are actively working on releasing a security fix,” the company stated on Wednesday.
Other Chromium-based browsers – e.g., Brave, Opera, and Vivaldi – should implement the fixes soon.
Looking for 0-days in V8
CVE-2024-7971 is the ninth actively exploited Chrome zero-day – and the third type confusion bug in the V8 engine – fixed this year.
In late 2023, Google has called on bug hunters to probe its V8 engine for zero-day flaws and report them, as well as exploit writers to try and exploit n-day and 0-day vulnerabilities. Rewards for both zero-days and exploits have been offered.
Unfortunately, attackers are looking for zero-days, as well.