Google has just issued an emergency Chrome update for desktop users, warning that an exploit for a serious security vulnerability now “exists in the wild.”
The Chrome stable channel has been updated to 128.0.6613.84/.85 for Windows and Mac, and 128.0.6613.84 for Linux. It should download to your PC automatically, but you will need to check and restart the browser to ensure it installs.
CVE-2024-7971—the vulnerability that has been successfully attacked—is a type confusion in V8, a typical memory issue for a Chrome zero-day, which “allows a remote attacker to exploit heap corruption via a crafted HTML page.” This means an attacker can potentially exploit this to destabilize a PC, compromise data or execute rogue code. The vulnerability was found and reported by Microsoft.
This has been a busy month for such zero day vulnerabilities, with Microsoft’s own bumper Patch Tuesday and another vulnerability triggering emergency patches across Android’s ecosystem. It has very much become the update everything month.
As ever, Google is withholding any more detailed information “until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
The update seems to have been made available immediately, and so the usual kudos to Google for acting quickly. That said, the emergency zero-day update will steal the headlines from Google’s feature updates this month—sensitive data protection and more seamless password management.
More happily for Google, it might also distract attention from the news that the company “must face trial over claims Chrome misled users on data collection,” which itself will prolong the negative publicity following the surprise decision to maintain tracking cookies despite repeated assurances to kill them off.
Notwithstanding the ongoing tracking debacle, Chrome has proven extraordinarily resilient and its dominant market share shows no signs of weakening. And so the billions of users sticking with the browser need to get updating.