Bad Actors Exploited a Chrome Zero-Day In August

Google Chrome is, by far, the most popular web browser in the world. Even if you don’t use Chrome, you may use a browser built on its platform: Microsoft Edge, for example, is built on Chromium, the same open-source platform that powers Chrome.

All that to say, there’s a good chance the app you use for work or personal browsing is affected by the same flaws: If there’s a vulnerability in Chrome, there’s a vulnerability in Edge.

Last month, an important such vulnerability appeared: Google disclosed in August that it discovered a zero-day vulnerability affecting Chrome and Chromium-based browsers. The flaw is tracked as CVE-2024-7971, and is a type confusion flaw within the browser’s JavaScript engine. If a bad actor exploits the flaw, they can engage in out-of-bounds memory access, and ultimate execute their own code on the target’s machine.

Zero-days are bad news, since these types of flaws are discovered before a developer has the chance to patch them. However, in this case, Chrome’s zero-day is particularly bad: Google confirmed the flaw was actively exploited in the wild, which means some bad actors not only know about it, but took advantage of it.

The good news is the flaw has been patched: So long as you update your browser to the latest version, you’ll be protected from this vulnerability.

That said, this is the ninth zero-day vulnerability Google has patched this year: Bad actors are discovering these flaws before Google has a chance to patch them. The main solace is that, most of the time, they don’t know how to exploit them before a patch rolls around. This time, however, that wasn’t the case.