Google patched a zero-day vulnerability in Chrome that it acknowledge has been exploited in the wild. It's the ninth time this year the tech giant has patched a Chrome zero-day.
The bug — CVE-2024-7971 — is a type confusion weakness in Chrome’s V8 Java Script engine. In an advisory posted Aug. 21, Google said the bug was reported by the Microsoft Threat Intelligence Center and the Microsoft Security Response Center on Aug. 19.
According to the Common Weakness Enumeration website posted by MITRE, a type confusion happens when a product allocates a resource such as a pointer, object, or variable using one type, but later accesses the resource using a type that’s incompatible with the original. The danger: when a product accesses the resource using an incompatible type, it could trigger logical errors because the resource does not have expected properties.
The surge this year in urgent security fixes to Chrome from Google spotlights the need for constant alertness and preemptive action against cyber threats, said Stephen Kowski, Field CTO at SlashNext. Kowski said with hackers relentlessly targeting weak points, companies must prioritize swift patch deployment and bolster their defenses with real-time attack detection and prevention systems.
“The discovery of this flaw by multiple experts showcases how shared intelligence can speed up risk identification and mitigation,” said Kowski. “Security teams can blunt the impact of such vulnerabilities by staying ahead of the curve and taking decisive action.”
John Bambenek, president at Bambenek Consulting, added that while there’s an ebb and flow in frequency of browser vulnerabilities, because most people interact with the internet via the browser, attackers will continue to focus their research there. This most recent vulnerability demonstrates that the telemetry Microsoft gets helps find these unknown zero-days faster.
“Cooperation with another company, who's otherwise a competitor, shows we’re doing more of the right thing for users,” said Bambenek. “This should be a simple update to deploy, and since the browser isn’t usually a key component of mission-critical applications, the update should not be overly disruptive.”
Ted Miracco, chief executive officer of Approov, pointed out that this recent patch reflects broader concerns about how the dominance of a few major tech companies in leading areas of cybersecurity like web browsers can create systemic risks. Miracco said when a vulnerability gets discovered in a platform as ubiquitous as Chrome, the potential impact is vast, affecting millions of users and a wide array of systems that rely on this browser.
“When Google’s Chrome browser or Apple’s Safari faces a security vulnerability, the fallout is immense due to the sheer number of users and systems dependent on these platforms,” said Miracco. “This risk is not confined to web browsers. In the mobile app ecosystem, both Google and Apple have near-total control through their respective app stores — Google Play and the Apple App Store. This level of control ensures uniformity, but it also stifles competition and the adoption of more diverse and potentially more robust security measures.”