Zero-Day Alert: Update Chrome Now to Fix New Actively Exploited Vulnerability

17.01.2024

On Tuesday, Google issued updates addressing four security vulnerabilities in its Chrome browser, including a zero-day flaw actively exploited by threat actors. The identified issue, designated as CVE-2024-0519, involves an out-of-bounds memory access within the V8 JavaScript and WebAssembly engine. Exploiting this flaw could lead to a system crash. According to MITRE’s Common Weakness Enumeration (CWE), attackers could read out-of-bounds memory to obtain secret values, such as memory addresses. This could potentially bypass protection mechanisms like ASLR, enhancing the chances of exploiting another vulnerability for code execution rather than just causing a denial of service.

Details regarding the specific nature of the attacks and the identity of the threat actors have been deliberately withheld to prevent further exploitation. The anonymous report of this issue was made on January 11, 2024.

The NIST’s National Vulnerability Database (NVD) describes the flaw as “out-of-bounds memory access in V8 in Google Chrome prior to 120.0.6099.224,” highlighting that a remote attacker could potentially exploit heap corruption through a crafted HTML page.

This development marks the first zero-day flaw actively exploited in 2024 that Google has patched for Chrome. In the preceding year, Google addressed a total of eight actively exploited zero-days in the browser.

To mitigate potential threats, users are strongly advised to update their Chrome browsers to version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux.

Additionally, users of Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are urged to promptly apply the provided fixes when they become available.