Google Discovers Active Attack on May's Fourth Chrome Zero-Day: Update Immediately

Google Detects 4th Chrome Zero-Day in May Actively Under Attack - Update ASAP

 

In response to a high-severity security vulnerability in its Chrome browser that it said has been used in the wild, Google released updates for the browser on Thursday.


The vulnerability, which has been assigned the CVE identifier CVE-2024-5274, is related to a type misunderstanding fault in the WebAssembly and JavaScript V8 engines. On May 20, 2024, Brendon Tiszka of Chrome Security and Clément Lecigne of Google's Threat Analysis Group reported it.



A software can become vulnerable to type confusion by trying to access resources of an incompatible type. Because it gives threat actors the ability to run arbitrary code, do out-of-bounds memory access, and cause a crash, it may have dangerous repercussions.


With the development, Google has now fixed four zero-day vulnerabilities this month, following CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947.


The IT giant confirmed that it "is aware that an attack for CVE-2024-5274 exists in the wild," but it did not provide any further technical specifics regarding the vulnerability. It is unclear whether the flaw is a workaround for CVE-2024-4947, a V8 type confusion fault.


Since the beginning of the year, Google has fixed eight zero-day vulnerabilities in Chrome with the most recent patch.


To reduce possible risks, users are advised to update to Chrome versions 125.0.6422.112/.113 for Windows and macOS and 125.0.6422.112 for Linux.

It is also recommended that users of Chromium-based browsers like Vivaldi, Microsoft Edge, Brave, Opera, and Opera update the changes as soon as they become available.





Comments