Google on May 13 issued a Mac and Windows patch for yet another Chrome browser zero-day flaw, the sixth such vulnerability in 2024.
Click for more special coverage
The latest news comes on the heels of Google announcing a patch for the fifth zero-day of the year just three days ago. An anonymous researcher is credited with informing Google of the bug in its popular web browser on May 9.
The high-severity vulnerability — CVE-2024-4761 — was described by NIST as an out-of-bounds write in V8 in Google Chrome prior to 124.0.6367.207 that lets a remote attacker perform an out-of-bounds memory write via a crafted HTML page.
Google said that it is aware that an exploit for CVE-2024-4761 exists in the wild, but has yet to see exploitation. The internet search giant also noted that it will make a patch available for Linux in the coming days/weeks.
An emergency patch without details is basically Google’s highest level of alert, explained Casey Ellis, founder and chief strategy officer at Bugcrowd. Ellis noted that while Google suggests that it hasn’t seen active exploitation in the wild, the fact that an exploit exists suggests that it will soon commence.
Click for more special coverage
“It bears repeating that Chrome will save and reopen Non-Incognito tabs, so if losing your place is stopping you or someone you know from applying this patch, you shouldn’t delay,” said Ellis.
Callie Guenther, senior manager of threat research at Critical Start, added that the frequent discovery of zero-day vulnerabilities in Chrome has significant intelligence implications. Guenther said these vulnerabilities can be exploited by threat actors, including state-sponsored groups, to conduct cyber espionage, steal sensitive information, and launch targeted attacks.
“Security professionals must stay vigilant, apply patches swiftly, and monitor for suspicious activities,” said Guenther. “The rapid identification and exploitation of these vulnerabilities highlight the need for robust cybersecurity measures and continuous monitoring to protect against advanced threats and safeguard critical infrastructure and data.”
Guenther said security pros should do the following:
- Ensure all Chrome installations are updated immediately.
- Monitor for new vulnerabilities and apply patches quickly.
- Implement additional security measures, such as browser isolation and sandboxing.
- Educate users about the importance of regular updates and potential risks.
“This [case] is an indicator of a healthy cyber ecosystem, given the flaw was reported by an independent security researcher on May 9, and Google's team was able to add the fixes to their code deployment stream over the weekend,” said Tom Siu, chief information security officer at Inversion6. “Typically software patches are released on a time ‘batch’ basis, but as we see in this case with actively exploited security flaws, it’s important to push software patches as soon as they are viable.”
