Google Patches Ninth Chrome Zero-day Vulnerability of the Year (CVE-2024-7971)

Posted by Author Diksha Ojha on Posted on

For the ninth time this year, Google Chrome users are urged to update their browsers immediately as a new zero-day vulnerability has been discovered. Google released a security advisory to address the zero-day vulnerability tracked as CVE-2024-7971.

CVE-2024-7971 is a type confusion vulnerability in Chrome’s V8 JavaScript engine. Security researchers with the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered and reported the vulnerability to Google.

CISA acknowledged the active exploitation of CVE-2024-7971 by adding it to its Known Exploited Vulnerabilities Catalog and requesting users patch the flaw before September 16, 2024.

The latest advisory includes fixes for 38 vulnerabilities of varying severities.

Updates in the Google Advisory

Google updated its advisory on August 26th, mentioning that the CVE-2024-7965 is also being exploited in the wild. CVE-2024-7965 is an inappropriate implementation vulnerability existing in V8.

CISA KEV Update

CISA acknowledged the active exploitation of CVE-2024-7965 by adding it to its Known Exploited Vulnerabilities Catalog and requesting users patch the flaw before September 18, 2024.

With the latest updates, the zero-day vulnerabilities fixed this year have increased to 10. The list includes:

  1. CVE-2024-0519: Out-of-bounds memory access in V8
  2. CVE-2024-2887: Type confusion in WebAssembly
  3. CVE-2024-2886: Use-after-free in WebCodecs
  4. CVE-2024-3159: Out-of-bounds memory access in V8
  5. CVE-2024-4671: Use-after-free in Visuals
  6. CVE-2024-4761: Out-of-bounds write in V8
  7. CVE-2024-4947: Type confusion vulnerability in the V8
  8. CVE-2024-5274: Type confusion vulnerability V8

Affected Versions

Google Chrome versions before 128.0.6613.84 are affected by this vulnerability.

Mitigation

Customers are requested to upgrade to the latest stable channel version 128.0.6613.84/.85 for Windows Mac and 128.0.6613.84 for Linux.

For more information, please refer to the Google Chrome Release Page.

Qualys Detection

Qualys customers can scan their devices with QIDs 380377 and 380380 to detect vulnerable assets.

Microsoft has released the Microsoft Edge Stable Channel (Version 128.0.2739.42) to address CVE-2024-7971, which the Chromium team has reported as being exploited in the wild.

Rapid Response with Patch Management (PM)

Qualys Patch Management and its Zero-Touch Patching feature provide a seamless, automated process of patching a vulnerability like this.

Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This not only streamlines the patching process but also ensures vulnerabilities are addressed promptly.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

Leave a Reply

Your email address will not be published. Required fields are marked *