Google discloses 2 zero-day vulnerabilities in less than a week
Google released fixed versions to address the two vulnerabilities in its Chrome web browser, but the updates will roll out in stages with no specific dates available.
Google patched another Chrome zero-day vulnerability on Monday, the second one in the span of four days.
In a blog post on Monday, Daniel Yip, technical program manager at Google, disclosed a high-severity out-of-bounds write vulnerability tracked as CVE-2024-4761. Google credited an anonymous researcher for discovery and stressed that vulnerability details are limited "until a majority of users are updated with a fix."
CVE-2024-4761 affects Google Chrome's open source V8 JavaScript engine. Google announced fixes for the flaw, but the updates will be rolled out in stages "over the coming days/weeks."
The scope of the exploitation remains unknown, but the vulnerability could pose issues for Chrome users since attackers continue to leverage zero-day vulnerabilities, especially in web browsers, at an increasingly fast pace.
It remains unclear how many users have been updated with a fix. To address patch management struggles with zero-day and known vulnerabilities, Google increased the security update frequency for the web browser last year.
"Google is aware that an exploit for CVE-2024-4761 exists in the wild," Yip wrote in the blog post.
To address CVE-2024-4761, Mac and Windows users should update to the fixed version 124.0.6367.207/.208, while Google released 124.0.6367.207 for Linux Chrome users.
On Thursday, Google disclosed another high-severity zero-day vulnerability tracked as CVE-2024-4671. Google provided few details for the use-after-free vulnerability, which affects the Visuals component and could allow an attacker to manipulate memory management.
Again, the vendor credited an anonymous researcher for discovering and reporting the flaw on May 7. Two days later, Google confirmed it was "aware that an exploit for CVE-2024-4671 exists in the wild." Attackers frequently begin exploiting vulnerabilities just days after a proof-of-concept exploit is published.
Google released fixes for CVE-2024-4671 in version 124.0.6367.201/.202 for Mac and Windows systems, and 124.0.6367.201 for Linux users.
Update: Google disclosed and patched a third zero-day vulnerability in Chrome on Wednesday. The high-severity vulnerability, tracked as CVE-2024-4947, is a type confusion flaw in V8. Google said an exploit for CVE-2024-4947, which was discovered and reported by Vasily Berdnikov and Boris Larin of Kaspersky Lab, exists in the wild.
Google hasn't attributed the zero-day attacks to specific threat actors or groups. Earlier this year, Google's Threat Analysis Group and Mandiant published a joint report of zero-day vulnerability exploitation trends in 2023. The report found that commercial spyware vendors were responsible for 75% of known zero-day exploits targeting Google products and Android devices last year.
Google did not respond to a request for comment at press time.
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
