Time to update Chrome: Google is warning that hackers are abusing a serious flaw in the desktop version of the browser.
The company mentioned the previously unknown "zero-day" flaw in a Wednesday Chrome update. Details about the bug, called CVE-2024-7971, are thin, but Google says hackers developed an "exploit" for the vulnerability, allowing them to attack user computers.
The threat involves a “type confusion” vulnerability, where the software mistakenly uses one type of programming resource as another. This can allow an attacker to access normally protected processes in a program to crash the software or trick it into running malicious computer code.
CVE-2024-7971 specifically affects Chrome's V8 JavaScript engine. According to the US National Institute of Standards and Technology, exploiting the flaw can enable a “remote attacker to exploit heap corruption via a crafted HTML page." This suggests a hacking group has exploited the flaw through malicious web pages, which could be further circulated through phishing emails. The booby-trapped web pages might then trigger Chrome to run the exploit.
Google learned of the flaw from Microsoft’s Threat Intelligence Center on Monday, which led the company to release a fix only two days later.
For Windows, Mac, and Linux users, the patch will arrive as version 128.0.6613.84/.85, which also contains fixes for numerous other bugs. An option to update Chrome should appear in the browser's upper-right corner. Otherwise, go to the “About Chrome” tab to automatically receive the update or visit Google's support page on downloading the patches.
Microsoft also plans to implement the patches for its Chromium-based Edge browser.