Google Chrome users have been hit with a raft of update warnings in recent weeks; two recent vulnerabilities, both confirmed as being actively exploited, prompted a US government mandate to update or stop using Chrome by September 18. Now, as that deadline expires, there’s a new security release with and warning for users to update to ensure their browsers are protected against any future exploitation attempts.
Google’s latest advisory brings its stable desktop channel for Windows and Mac up to 129.0.6668.58/.59, with multiple risks patched. The most serious fix is for a high-severity Type Confusion memory vulnerability. While there are no active attack warnings this time around, this is the kind of issue often exploited. As ever, no material details are being released at this stage as users are urged to update.
There are also three medium-severity fixes of note.
- High CVE-2024-8904: Type Confusion in V8.
- Medium CVE-2024-8905: Inappropriate implementation in V8.
- Medium CVE-2024-8906: Incorrect security UI in Downloads.
- Medium CVE-2024-8907: Insufficient data validation in Omnibox.
Chrome’s 2-billion desktop users should all have updated in recent weeks to protect themselves against the much more serious threats that triggered the US government’s cybersecurity agency to issue its update mandate. While CISA’s directive only applies formally to federal staff, all organizations should follow suit given its broader remit to protect industry from known threats and guide their cyber defenses.
CISA’s says the purpose of its mandates is to “maintain the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.”
As with this new update, the more serious threats were also memory risks. An “inappropriate implementation” and a “type confusion” in the V8 engine. The first was published on August 21, as Google warned that CVE-2024-7971 was being actively exploited in the wild. The second came a week later, when Chrome upgraded another vulnerability—CVE-2024-7965, confirming it was also under attack.
This week’s security update is the third since those zero-days were confirmed, with others being released on September 2 and 10 respectively. Just as this week, both fixed high-severity risks, but with no new exploits disclosed.
The latest update should download automatically and users can check it has done so in their browser settings. Restarting Chrome will ensure it installs correctly.
