Google has announced the release of Chrome 128 to the stable channel for Windows, Mac, and Linux.
This update, Chrome 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac addresses a critical zero-day vulnerability actively exploited in the wild.
The update includes 38 security fixes, with particular attention to those contributed by external researchers.
Details of the Zero-Day Vulnerability
The Chrome team has been working diligently to address a zero-day vulnerability that has been actively exploited.
The vulnerability, CVE-2024-7971, involves type confusion in V8, Chrome’s open-source JavaScript engine.
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported this flaw on August 19, 2024.
While the specific details of the exploit remain restricted to protect users, the fix’s urgency underscores the vulnerability’s potential severity.
The Chrome team has emphasized that access to bug details and links will remain restricted until most users have updated their browsers.
This precaution ensures that users are protected before the vulnerability details are public, preventing further exploitation.
In addition to the zero-day vulnerability, the Chrome 128 update includes a wide range of security fixes.
Below is a table summarizing the key vulnerabilities addressed in this update:
Bounty | CVE ID | Severity | Description | Reported On |
$36,000 | CVE-2024-7964 | High | Use after free in Passwords | 2024-08-08 |
$11,000 | CVE-2024-7965 | High | Inappropriate implementation in V8 | 2024-07-30 |
$10,000 | CVE-2024-7966 | High | Inappropriate Implementation in Permissions | 2024-07-25 |
$7,000 | CVE-2024-7967 | High | Heap buffer overflow in Fonts | 2024-07-27 |
$1,000 | CVE-2024-7968 | High | Use after free in Autofill | 2024-06-25 |
TBD | CVE-2024-7969 | High | Type Confusion in V8 | 2024-07-09 |
TBD | CVE-2024-7971 | High | Type confusion in V8 | 2024-08-19 |
$11,000 | CVE-2024-7972 | Medium | Inappropriate implementation in V8 | 2024-06-10 |
$7,000 | CVE-2024-7973 | Medium | Heap buffer overflow in PDFium | 2024-06-06 |
$3,000 | CVE-2024-7974 | Medium | Insufficient data validation in V8 API | 2024-05-07 |
$3,000 | CVE-2024-7975 | Medium | Insufficient data validation in the Installer | 2024-06-16 |
$2,000 | CVE-2024-7976 | Medium | Inappropriate implementation in FedCM | 2024-05-10 |
$1,000 | CVE-2024-7977 | Medium | Insufficient Policy Enforcement in Data Transfer | 2024-02-11 |
$1,000 | CVE-2024-7978 | Medium | Insufficient data validation in the Installer | 2022-07-21 |
TBD | CVE-2024-7979 | Medium | Insufficient data validation in the Installer | 2024-07-29 |
TBD | CVE-2024-7980 | Medium | Inappropriate Implementation in Views | 2024-07-30 |
$1,000 | CVE-2024-7981 | Low | Inappropriate Implementation in WebApp Installs | 2023-07-14 |
$500 | CVE-2024-8033 | Low | Inappropriate implementation in WebApp Installs | 2024-06-30 |
$500 | CVE-2024-8034 | Low | Inappropriate implementation in Custom Tabs | 2024-07-18 |
TBD | CVE-2024-8035 | Low | Inappropriate implementation in Extensions | 2022-04-26 |
The Chrome team is committed to ensuring user safety and has expressed gratitude to the security researchers who contributed to these fixes.
Users are strongly encouraged to update their browsers to the latest version to protect against these vulnerabilities.
Google also plans to release more information about new features and major efforts in upcoming blog posts for Chrome and Chromium.
As cyber threats evolve, timely updates and collaboration with the security community remain crucial in safeguarding users worldwide.
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
Zero Day: Expose Software Vulnerabilities And Eliminate Bugs