Cybersecurity Weekly

Google has released crucial updates for its Chrome browser, addressing four security vulnerabilities, one of which is an actively exploited zero-day flaw.

The identified issue, known as CVE-2024-0519, revolves around an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine. This flaw could be exploited by malicious actors to provoke a crash. By reading out-of-bounds memory, attackers might obtain secret values, such as memory addresses, enabling them to bypass protection mechanisms like Address space layout randomization (ASLR).
This enhances the chances of exploiting another weakness to achieve code execution rather than mere denial of service. The specifics of the attacks and the threat actors involved have been withheld to prevent further exploitation. This zero-day was reported anonymously on January 11, 2024.

According to the Common Weakness Enumeration (CWE) by MITRE, the out-of-bounds memory access in V8 before Chrome version 120.0.6099.224 could allow a remote attacker to potentially exploit heap corruption through a crafted HTML page.

This incident marks Google's first patch for an actively exploited zero-day in Chrome for 2024. Notably, the company resolved eight such actively exploited zero-days in the browser in the previous year.

To mitigate potential threats, users are strongly advised to upgrade to the latest Chrome version—120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux. Users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also promptly apply the fixes as they become available.

Stay secure by keeping your browser up to date.