Google has released an update to its Chrome browser, patching a vulnerability that Google says is already being exploited: a so-called zero-day vulnerability.

Google has fixed this zero-day with the release of versions 128.0.6613.84/.85 for Windows/macOS and 128.0.6613.84 for Linux, which will be rolled out to all users in the coming weeks.

The easiest way to update Chrome is to let it do it automatically. However, you run the risk of falling behind if you never close your browser or if something goes wrong, such as an extension that prevents you from updating the browser.

To get the update manually, click Settings > About Chrome. If an update is available, Chrome will notify you and download it. After that, all you need to do is restart the browser to complete the update and protect yourself from these vulnerabilities.

In addition to the zero-day, this update includes 37 other security fixes, plus Google Lens for desktop. This means you can search everything you see on the web without leaving your current tab.

Google Lens is available in every open tab. Here’s how to use it:

1. Open the Chrome menu (three dots stacked on top of each other).
2. Select Search with Google Lens .
3. Select something on the page by clicking and dragging anywhere on the page.
4. Refine your answers by typing in the search box in the side panel.

Please note that Google receives a screenshot of every Google Lens search you perform.

Technical details about the zero-day vulnerability

A zero-day is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other solution is available. The zero-day vulnerability addressed here is called CVE-2024-7971, a type of confusion in V8 in Google Chrome that could allow a remote attacker to exploit heap corruption via a crafted HTML page.

JavaScript uses dynamic typing. This means that the type of a variable is determined and updated at runtime, as opposed to being set at compile time in a statically typed language.

V8 is the JavaScript engine that Chrome uses and is a major source of security vulnerabilities.

Heap corruption occurs when a program changes the contents of a memory location outside the memory allocated to the program. The outcome can be relatively benign, causing a memory leak, or fatal, causing a memory error, usually in the program causing the corruption.

An attacker would need to convince a target to open a specially crafted HTML file, which typically means visiting a website. This would cause the unpatched browser to accept an unexpected value for a variable that would overflow the reserved memory location. The attacker could then exploit the overflow for their own malicious purposes.

We not only report vulnerabilities, we also identify them and prioritize the actions to be taken.

Cybersecurity risks should never go beyond a headline. Keep vulnerabilities in check by using ThreatDown Vulnerability and Patch Management.