Google Chrome browser patches 9th and 10th zero-days of 2024
Posted on by Joshua Long
On Wednesday, August 21, the Google Chrome browser was updated to version 128.0.6613.84 to address multiple vulnerabilities, including two that have been actively exploited in the wild. These are the ninth and tenth Chromium vulnerabilities this year for which Google is aware of real-world exploitation.
Google says that “exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild.” This means that users must install patches urgently. Both of these vulnerabilities exist in Chromium’s V8 engine.
At the time of release, Google was only aware of CVE-2024-7971 being exploited in the wild. Google later updated its release notes blog post on Monday, August 26, to acknowledge that it was aware of in-the-wild exploitation of CVE-2024-7965 as well.
The previous most recently exploited Chromium vulnerability was back in May 2024; in fact, four zero-day vulnerabilities were in the wild that month.
Whenever Chrome gets a security update, other browsers based on the Chromium open-source Web browser project generally require an update, too. Notable browsers built upon the Chromium codebase include Microsoft Edge, Arc, Brave, Vivaldi, Opera, and Opera GX.
Arc, Brave, and Microsoft Edge all got updates on Thursday, August 22. These three browsers are based on the most recent Chromium version.
Opera and Vivaldi, however, are based on older Chromium code bases; this means that the engineers who develop them must backport security patches. Opera and Opera GX addressed CVE-2024-7971 on Friday, August 23, but Opera’s QA team has not yet acknowledged CVE-2024-7965. (We have reached out to Opera and are awaiting their response.) Meanwhile, Vivaldi addressed CVE-2024-7965 on Saturday, August 24; however, Vivaldi has not yet acknowledged CVE-2024-7971. Update: Vivaldi 6.9, released on Thursday, August 29, is built upon Chromium 128.0.6613.117, rather than the outdated Chromium 126 code base. Therefore, Vivaldi 6.9 presumably includes all Chromium patches from last week’s Chrome update.
How to update Chromium-based desktop browsers
Mac users can update their Chrome, Brave, Edge, or Opera browsers by clicking on the application menu (e.g. “Chrome” or “Microsoft Edge,” next to the Apple logo menu), and then clicking the first item in that menu (e.g. “About Google Chrome” or “About Microsoft Edge”). The browser will check for updates; if an update is available, it will prompt you to restart the app to complete the update.
Arc and Vivaldi for macOS have a slightly different update procedure. After clicking on the Arc or Vivaldi menu (next to the Apple menu), click on “Check for Updates…” to ensure you have the latest version installed.
Windows users can update their browsers by following the steps provided by each browser maker: Chrome, Arc, Brave, Edge, Opera, Vivaldi.
How to update Chromium-based mobile browsers
Android users should check the Google Play Store app for the latest versions of their browsers and other apps.
Mobile browsers on iOS and iPadOS use Safari’s WebKit engine, rather than Chromium’s Blink and V8 engines. Therefore, this particular vulnerability does not affect the iOS or iPadOS versions of any Web browsers. If you would like to update your iPhone and iPad browsers anyway, you can do so via the App Store. (Here’s how to manually check for and install updates.)
Starting with iOS 17.4, browser makers may opt into using their own rendering engines. However, this is only available in the EU, for compliance with the Digital Markets Act. No major third-party browser has chosen to bring its own engine to iOS yet.
Non-browser apps need updates, too
As we’ve noted in the past, many non-browser apps, including Electron apps, also rely on the Chromium browser codebase for rendering HTML content. These include the desktop versions of apps like 1Password, Discord, Dropbox, Figma, GitHub, Microsoft Teams, Signal, Skype, Slack, Trello, Twitch, WhatsApp, WordPress, and Zoom.
Notably, the Electron framework does not get updated in tandem with Chromium, so some Electron-based apps may remain vulnerable for months. For this and other reasons, it’s important to keep all your other apps updated as well.
To update Mac App Store apps, open the App Store, then click Updates, and click on Update All. Other apps usually have their own separate in-app or external update mechanisms. In some cases, you may need to update an app manually by downloading a new version from the developer’s site.
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: