Hackers exploit Chrome vulnerabilities, US cyber agency urging users to update

Google Chrome users should check if their browser is updated, as versions prior to 124.0.6367.207 allow malicious actors to exploit critical flaws. Following an emergency security patch, Google has released Chrome version 125, which fixes two additional high-risk flaws.

The Chrome team released stable version 125, which brings nine security fixes and other improvements. Users should not delay this update.

Two of the ‘high risk’ Chrome vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog. CISA warned federal agencies to resolve ‘high-risk’ vulnerabilities in the coming weeks.

One of the vulnerabilities, labeled CVE-2024-4761, affects Chrome versions prior to 124.0.6367.207. This “out-of-bounds write” vulnerability affects the V8 JavaScript engine, which is used by Google Chrome and other Chromium-based browsers and runs JavaScript code included in webpages.

According to the National vulnerability database, it “allowed a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.”

“This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera,” CISA said and set a due date for agencies to 2024-06-06.

The other vulnerability, labeled CVE-2024-4671, must be fixed by agencies even sooner, before June 3rd. It allowed remote attackers, “who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.” This vulnerability also affects many Chromium browsers.

Usually, CISA requires that ‘high risk’ vulnerabilities are resolved within 30 days and ‘critical risk’ vulnerabilities within 15 days.

“Although BOD 22-01 only applies to Federal Civilian Executive Branch agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation,” CISA said.

On Wednesday, Google announced the two additional high-risk vulnerabilities (CVE-2024-4947 and CVE 2024-4948), and at least one of them was exploited in the wild. Type Confusion in V8 is a critical vulnerability that could allow a remote attacker to execute arbitrary code inside a sandboxed environment via a crafted HTML page.

All those vulnerabilities are resolved in the latest Chrome versions, 125.0.6422.60/.61 on Windows and Mac and 125.0.6422.60 on Linux. Stable versions were also released on iOS and Android.

To update Chrome, go to Settings and select About Chrome. If the update is available, Chrome will notify you and start downloading it.