Application security, Vulnerability Management, Patch/Configuration Management

Google patches 3rd Chrome browser zero-day inside of a week

Share
Google Chrome homepage on a computer screen. Google Chrome is a cross-platform web browser developed by Google.

Google on May 15 posted nine Chrome patches — one of them yet another zero-day — the third this week reported by the tech giant tech. The patches coincide with Google’s Chrome team announcing the release of Chrome 125 to the stable channel for Windows, Mac, and Linux. These updates will roll out over the coming days/weeks.

Click for more special coverage

Security pros said the most important bug was the high-severity zero-day — CVE-2024-4947 — described by NIST as a type confusion in V8 in Google Chrome prior to 125.0.6422.60 that allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Google said CVE-2024-4947 was reported by Vasily Berdnikov and Boris Larin of Kaspersky on May 13. The company also noted that it's aware that an exploit for CVE-2024-4947 exists in the wild.

“More than any change with Chrome itself, [these zero-days] are a reflection of attackers continuing to focus on browsers in general and Chrome in particular as their most prized target,” said Lionel Litty, chief security architect at Menlo Security. “An exploitable bug in Chrome often means the ability to target not only the vast numbers of Chrome users on desktop and Android, but also the users of Edge and other more niche browsers that are also based on Chromium.”

Patrick Tiquet, vice president of security and architecture at Keeper Security, said that these high-security flaws are serious and teams should patch them immediately.  

“With CVE-2024-4947 actively being exploited in the wild, remote attackers can execute arbitrary code on affected systems, potentially compromising them entirely and allowing for data theft, system manipulation or further exploitation, making it critical for Chrome users to update their browsers as soon as possible,” said Tiquet.  

Google patches 3rd Chrome browser zero-day inside of a week

Security pros say the uptick in Chrome zero-days this week demonstrates an increased focus by threat actors on attacking browsers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.