If you use Google Chrome or a Chromium-based web browser, you need to update it ASAP.
Google’s latest update for Chrome, version 128.0.6613.84/.85 (Windows/Mac) and 128.0.6613.84 (Linux), comes with patches for 38 security vulnerabilities, eight of which Google identifies as “High” severity. Google detailed all these patches in its latest Chrome Releases blog post, running through each vulnerability’s type, severity, reward (the money rewarded to the researcher who discovered it), and noting who reported the flaw.
While it’s important to fix all these vulnerabilities, one of them is more important than others: The vulnerability, a zero-day, is tracked as CVE-2024-7971, and is a type confusion flaw affecting Chrome’s V8 JavaScript engine. Type confusion occurs when a program processes an object without checking its type first: If that type is incompatible or incorrect, it can create a vulnerability that bad actors can exploit.
That’s the case with CVE-2024-7971: Google confirmed in its blog post that the company is aware an exploit for this vulnerability exists in the wild, which means someone, somewhere knows how to use it. Worse yet, this vulnerability doesn’t require an attacker to have physical access to your browser, as a remote hacker was able to exploit it. The chances may be low that a hacker would both know about this exploit and have their eyes set on your Chrome browser, but the odds aren’t zero. Why take the risk?
According to The Hacker News, this is the ninth zero-day vulnerability Google has addressed this year, and the third type confusion issue affecting its V8 JavaScript engine. Interestingly, it was Microsoft Security Response Center who reported the bug, earning $11,000 in the process.
While the other 37 vulnerabilities aren’t zero-days, and thus have no known active exploits at this time, they’re still important to patch immediately. Now that these flaws are out in the open, it’s only a matter of time before bad actors figure out how to exploit them, too. If you browser isn’t updated, you’re left vulnerable to any of these potential exploits.
Update to protect your browser from this vulnerability
As noted above, this bug doesn’t just affect Chrome, but all browsers built on the open-source platform Chromium. That includes Chrome, of course, but also Microsoft Edge, Opera, Brave, and Vivaldi. If you use any of these browsers, you should update as soon as possible.
To update Chrome, tap on the three dots in the top-right corner of your window, then go to Help > About Google Chrome. Let Chrome look for a new update. If one is available, you can click Relaunch to allow the browser to install the patch.
