Google has fixed the first major Chrome security flaw of 2024 - so here's what you need to know before you update
An out-of-bounds Google Chrome flaw allowed hackers to grab sensitive data from vulnerable endpoints
Google has fixed its first, actively exploited, Chrome zero-day vulnerability of the year.
The flaw is tracked as CVE-2024-0519, and allows attackers to gain access to sensitive data, or launch denial of service attacks. The flaw can also be chained with other vulnerabilities to achieve remote code execution (RCE), it was said.
"Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild," the browser giant said in an advisory published earlier this week.
Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today.
Preferred partner (What does this mean?)
No details - yet
The latest version of the browser is 120.0.6099.224/225 for Windows, 120.0.6099.234 for Mac, and 120.0.6099.224 for Linux. Even though Google usually says that the rollout of the patch to the Stable Desktop channel will be gradual, it was available when we tried to update the browser just now.
Still, the update was not automatic and required us to bring up the Settings menu and scan for updates.
CVE-2024-0519 is described as a high-severity out-of-bounds memory access weakness in the Chrome V8 JavaScript engine.
"The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow," MITRE said. "The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results." What’s more, the vulnerability can be used to work around ASLR and similar bypass protection mechanisms and chained together with other flaws for RCE.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Given the severity of the vulnerability, Google decided not to share additional details until the vast majority of browsers had been updated.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."
Via BleepingComputer
More from TechRadar Pro
- Everything you need to know about Chrome’s latest zero-day emergency and update patch
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.