Google releases fix for actively exploited Chrome vulnerability

Google has issued a security patch addressing an actively exploited vulnerability in Chrome, identified as the first zero-day flaw actively exploited since the beginning of the year.

This vulnerability is tracked as CVE-2024-0519 (CVSS score 8.8) - a high-severity issue stemming from an out-of-bounds memory access flaw within Chrome's V8 JavaScript engine. This vulnerability allows attackers to access data outside the allocated memory buffer, potentially leading to the exposure of sensitive information or causing a system crash. This flaw might also cause segmentation fault or buffer overflow, thus allowing attackers to bypass certain security mechanisms and allowing code execution through other vulnerabilities.

Google is acknowledging the existence of this exploit in real-world scenarios by hackers, but details about these incidents have not been publicly disclosed.

This vulnerability was addressed by Google for users on the Stable Desktop channel within a week of the issue being reported to Google.Patched versions have been made available globally for various operating systems:

• Windows users received versions 120.0.6099.224/225,
• Mac users got version 120.0.6099.234,
• Linux users were updated with version 120.0.6099.224.

For users who prefer not to manually update their web browsers, Chrome offers an automatic update feature. This feature checks for and installs new updates automatically, which will take effect upon the next launch of the browser.

Additionally, Google has addressed two other flaws in the V8 engine: an out-of-bounds write issue (CVE-2024-0517) and a type confusion problem (CVE-2024-0518), both of which could potentially lead to arbitrary code execution on compromised devices.