Google Patched a Fourth Zero-Day Vulnerability in Chrome

Google Chrome is the most popular web browser in the world. Chances are, you either use Chrome, or a browser based on the same platform (Chromium), such as Microsoft Edge. With that in mind, when a security vulnerability is discovered in Chrome, it’s a big deal, especially when that vulnerability is a zero-day. However, it’s an even bigger deal when
May 28, 2024
 / 
meritsolutions
 / 
Image

Google Chrome is the most popular web browser in the world. Chances are, you either use Chrome, or a browser based on the same platform (Chromium), such as Microsoft Edge. With that in mind, when a security vulnerability is discovered in Chrome, it’s a big deal, especially when that vulnerability is a zero-day. However, it’s an even bigger deal when that zero-day happens to be the fourth one patched in a month, and the eight patched in the calendar year.

Google rolled out this latest patch to users on Thursday: The company says the flaw, called CVE-2024-5274, is a type confusion vulnerability, in which the program tries to use a resource with a type that isn’t compatible with the program. These flaws can be a boon for bad actors, who can exploit them to run their own code on the system (otherwise known as arbitrary code execution).

As CVE-2024-5274 is a zero-day, the flaw has already been actively exploited in the wild, which makes it imperative to update your browser as soon as possible. However, the larger concern is the frequency Google is patching zero-days: CVE-2024-5274 is the fourth patched this month, and the eighth released since the start of 2024.

You can find all eight zero-days listed below, per The Hacker News:

  • CVE-2024-0519 – Out-of-bounds memory access in V8
  • CVE-2024-2886 – Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
  • CVE-2024-2887 – Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
  • CVE-2024-3159 – Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
  • CVE-2024-4671 – Use-after-free in Visuals
  • CVE-2024-4761 – Out-of-bounds write in V8
  • CVE-2024-4947 – Type confusion in V8

While patching a zero-day quickly is essential, it isn’t clear why Google is discovering so many zero-days in the first place. It’s concerning that bad actors are discovering and exploiting these flaws in rapid succession, considering the massive user base they can target. Short of switching to a browser that isn’t based on Chromium, like Firefox or, if using a Mac, Safari, the only thing to do is hope Google finds future vulnerabilities before bad actors do.

In the meantime, make sure to keep Google Chrome or your Chromium browser, like Microsoft Edge, updated at all times.

Share This

Leave a Reply

    1. Post
      Author


Sign Up for weekly MERIT Security Briefing

By signing up, you agree to our Privacy Policy.