Google has released its latest Chrome update warning for 2 billion Microsoft Windows, with three high-severity vulnerabilities patched. As always, users are advised to update their browser immediately. In terms of timing, just as this latest update hit users, we also have details about a dangerous exploit of a Chrome security threat that tricked users into visiting a website with “a hidden script that ” launched a zero-day exploit and gave the attackers control over the victim’s PC.

These attacks exploited the same type of vulnerability corrected in this latest version. Windows users can now update their browser to 130.0.6723.69/.70which should be downloaded automatically. Just make sure to reboot twice and make sure the update installs. While one of the three fixes affects the use of extensions, the other two pose “confusing” memory threats to the V8 engine that powers Chrome.

ForbesApple discovers a “revolutionary” new update for the iPhone: how will Samsung react?By Zak Doffman

This update comes as Kaspersky The research team published details of a Chrome vulnerability that Google disclosed and patched in May. This team has now shared “in great detail the vulnerabilities exploited by the attackers and the game they used as bait (we had to develop our own server for this online game).”

The exploited zero day is CVE-2024-4947, which I reported at the time and for which Google quickly warned that “an exploit exists in the wild”. This threat was also a “type confusion in the V8”. The US government’s cybersecurity agency has added CVE-2024-4947 to its catalog of known exploited vulnerabilities and ordered all federal employees to update their PCs. We are not yet talking about new exploits, although this could change: once again, the type of vulnerabilities this time is generally the same.

Kaspersky attributes the attacks to the APT Lazarus group, “a highly sophisticated and multifaceted Korean-speaking threat actor.” The backdoor attack exploited the group’s Manuscrypt tool, malware that Lazarus “has been using since at least 2013,” Kaspersky says. “We have documented its use in over 50 unique campaigns targeting governments, diplomatic entities, financial institutions, military and defense contractors, cryptocurrency platforms, IT and telecommunications operators, gaming companies, the media, casinos, universities and even security researchers.”

The attack was detected on the PC of a home user who had visited detankzone(.)com. “This website looked like a professionally designed product page for a multiplayer online battle arena (MOBA) tank game based on decentralized finance (DeFi) NFT (non-fungible token), inviting users to download a trial version. But it was just a disguise. The dangerous script was hidden behind the site. “Just visiting the website was enough to get infected – the game was just a distraction.”

Microsoft also issued a warning that a North Korean threat actor had exploited Chrome’s zero-day, but Kaspersky’s report delves into the details of the attack, a pretty stark warning for users about how easy it is to they can be compromised, as a result of breadcrumbs left by attack sets as they browse the web.

So why such regular V8 vulnerabilities? Kaspersky explains that “the heart of every web browser is its JavaScript engine. The JavaScript engine in Google Chrome is called V8 – Google’s open source JavaScript engine. For reduced memory consumption and maximum speed, V8 uses a fairly complex JavaScript compilation pipeline, currently consisting of an interpreter and three JIT compilers. CVE-2024-4947 was a vulnerability in a new optimized compiler in v8.

ForbesApple confirms a surprising decision for all iPhone users: bad news for GoogleBy Zak Doffman

For almost all of these 2 billion Chrome users, the only two details that matter are how attackers trick their victims into visiting malicious sites, via social media posts and phishing emails, thus generating visits to a website specially created to carry out the attack. In this case, the game. This is why it is so not recommended to click on such links. Once the exploit is executed, an attacker starts extracting your data. Starting with cookies and credentials in Chrome, but potentially extending to your PC itself. Which brings us to the second critical point: keep your browser updated.

“Historically,” Kaspersky says, half of the bugs discovered or exploited in Google Chrome and other web browsers have affected its compilers. Huge changes in the web browser code base and the introduction of new JIT compilers inevitably lead to a large number of new vulnerabilities. Chrome is working on its V8 sandbox to reduce these memory vulnerabilities, while Microsoft Edge’s approach doesn’t leave it exposed in the same way. That’s why Microsoft presented Edge as a more secure alternative to Chrome, taking advantage of warnings exactly like this one..

The irony is that Kaspersky is reporting a Google vulnerability, just like its software. removed from Google Play Store following its ban in the United States. Timing, as they say, is everything after all. Regardless, Kaspersky’s report exposes the danger of V8 memory vulnerabilities, with two other high-severity threats now patched. Users should make sure to update to the latest browser version immediately.