Key Takeaways
- Late in August, Google released a security patch that fixed 37 vulnerabilities, with fixes for two high-severity exploits that allow threat actors to remotely execute code.
- The US CISA has mandated all federal employees to update to the latest version of Chrome by September 18 to address the vulnerabilities.
- Regular users are also recommended to ensure that they’re running the latest version of Chrome. Head to Settings → Privacy and security → Safety Check to ensure you’re on Chrome 128.0.6613.84/.85 or a later-released version.
Independent of the new Chrome security feature bundle last week, Google released a security patch late in August that fixed several high-severity vulnerabilities — two of which have been added to the US government’s Cybersecurity and Infrastructure Security Agency’s (CISA) list of Known Exploited Vulnerabilities (KEV).
The two threats (CVE-2024-7971 and CVE-2024-7965), which allow threat actors to remotely execute code, remain a significant threat to users who still haven’t updated Chrome to the latest release.
The CISA has mandated all federal employees to update to the latest version of Chrome by September 16 and September 18 for the two vulnerabilities, respectively, or “stop using their browsers,” as highlighted by Forbes. It’s worth noting that while the mandate is mainly for government employees, many organizations use its KEV catalog guidelines, making it imperative for them, too, to update to the latest version of Chrome — version 128.0.6613.138, as of writing.
CVE-2024-7971 was first reported by Microsoft, and according to the tech giant, it offered North Korean threat actors access to remotely execute code on victims’ devices by exploiting the V8 JavaScript and WebAssembly engine, primarily impacting versions of Chromium prior to 128.0.6613.84. The vulnerability follows CVE-2024-4947 and CVE-2024-5274, both of which also took advantage of the V8 type confusion vulnerability.
According to Microsoft, a North Korean entity which has been identified as Citrine Sleet uses social engineering and the V8 JavaScript vulnerability to lure victims into downloading malicious software that collects sensitive information, with the threat actors primarily targeting financial institutions in the cryptocurrency sector.
The second vulnerability, CVE-2024-7965, has also been actively exploited in the wild, and functions similarly to CVE-2024-7971. It was first reported by “TheDog” on July 30, 2024, as shared by Difenda, and has also been fixed in the latest Chrome release.
Chrome’s Safety Check tool, which now automatically runs in the background on both Android and desktop, should help mitigate potential threats by revoking permissions from sites that you no longer visit and flagging unwanted notifications. The tool also reminds users if there’s a security issue that needs manual intervention, alongside regular scans for software updates and security patches, with reminders to update if one is available.
To check if your Chrome is up-to-date, tap the three-dot menu on the top right and head to Settings. Click on Privacy and security → Safety Check. As of today, Chrome should be on version 128.0.6613.138 to be considered the latest or version 128.0.6613.84 (Linux) 128.0.6613.84/.85(Windows, Mac) to be considered safe.
Source link
