Here we are again. For the second time in three months, the U.S. government has warned that the world’s most popular browser is known to be under attack. Federal employees have just 21-days to update their browsers or stop using them completely. Given Chrome’s two-billion-plus desktop users, that’s a big deal and should really apply to all users. There’s also a new, nasty sting in the tail that’s just come out.

According to the U.S. cybersecurity agency, CVE-2024-7971 “contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page.” This means an attacker can force a logical memory error to destabilize a system, opening the door to an attack. As ever, don’t think of these vulnerabilities in isolation, think of them being used in combination with others.

While Chrome will grab the headlines given that it dominates the desktop market with 2-billion-plus users, CISA also advises that the Chromium vulnerability “could affect multiple web browsers, including “Google Chrome, Microsoft Edge, and Opera.” If you’re using any Chromium browser, the warning applies to you.

CISA has taken more time adding this known exploit to its KEV catalog than expected. It’s almost a week since Google warned that “exploits for CVE-2024-7971 exist in the wild,” updating the stable desktop channel to 128.0.6613.84/.85 for Windows and Macs. I had expected this to be added sooner.

If you needed another reason to update right now, look no further than the nasty surprise suddenly added to last week’s advisory. Google updated the notice on August 26 “to reflect the in the wild exploitation of CVE-2024-7965 which was reported after this release.” This second exploited vulnerability is listed as an “inappropriate implementation in V8,” meaning the potential for an attack to achieve out of bounds (unexpected) memory access, again with a maliciously crafted webpage.

At the time of writing, CISA has only added the first vulnerability to its catalog—but it’s fairly certain the second will follow soon. It is now mandatory for all federal employees to “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” which means update or stop using. And the cutoff date is the usual 21-days from. release, which is September 16.

This has been a busy month for such warnings, with multiple Windows zero-days and an Android zero-day all coming within a small number of weeks. And while CISA’s formal mandate only applies to federal government employees, many other organizations do—and all should—follow the same guidance. As CISA itself says, the purpose of the catalog and these deadlines is “to help every organization better manage vulnerabilities and keep pace with threat activity.”

All such Chrome zero-days successfully exploit various types of memory vulnerabilities, but the good news is that Google is working on a broader set of defenses to stop this happening quite so frequently.

Updating your browser to the latest stable release will patch both zero-days and multiple of other bugs, several of which are high-severity, even if they have not yet been exploited in the wild—as far as we know. The update should download automatically but restart your browser once that’s done to ensure it installs.

With two zero-days in this latest update—and the potential for more to come, you should follow CISA’s timeline whether you’re a work or home user. We’re don’t yet know the extent of the ongoing attacks, but such exploits have a habit of getting out more widely, especially in the time between updates being released and applied.

Share.
Exit mobile version