Google Addresses Additional Chrome Zero-Day Exploited at Pwn2Own
April 3, 2024
Google has patched a zero-day vulnerability in its Chrome browser, CVE-2024-3159, discovered during last month's Pwn2Own hacking contest. The flaw, a high-severity issue, was due to an out-of-bounds read problem in the V8 JavaScript engine. This vulnerability could be exploited by remote attackers using specially crafted HTML pages, potentially gaining access to sensitive data or causing the browser to crash.
Security researchers Edouard Bochin and Tao Yan from Palo Alto Networks demonstrated the exploit on the second day of Pwn2Own Vancouver 2024, successfully bypassing V8 hardening. Their exploit allowed them to execute arbitrary code on both Google Chrome and Microsoft Edge, earning them a $42,500 prize.
Google has now addressed the zero-day in the stable channel version of Google Chrome 123.0.6312.105/.106/.107 for Windows and Mac, and 123.0.6312.105 for Linux. These updates will be rolled out globally in the coming days.
A week prior, Google patched two more Chrome zero-days exploited at the Pwn2Own Vancouver 2024 event. The first, CVE-2024-2887, was a high-severity type confusion weakness in the WebAssembly (Wasm) open standard. The second, CVE-2024-2886, was a use-after-free weakness in the WebCodecs API. Both were exploited to gain remote code execution on both Chrome and Edge browsers.
Mozilla also patched two Firefox zero-days exploited during the same competition. Both Google and Mozilla released security patches within a week, although vendors typically take longer to fix Pwn2Own zero-days as Trend Micro's Zero Day Initiative publicly discloses bug details after 90 days.
In total, Google has patched four Chrome zero-days this year. The fourth, CVE-2024-0519, was addressed in January and was being actively exploited to crash unpatched browsers or access sensitive data due to an out-of-bounds memory access weakness in the V8 JavaScript engine.
On Tuesday, Google also fixed two Android zero-days that were being exploited by forensic firms to unlock Pixel phones without a PIN and gain access to the data stored within them.
Related News
- Google Patches Chrome Zero-Days Exposed at Pwn2Own 2024
- Apple Releases Details on Security Bug Allowing Remote Code Execution
- CISA Mandates Federal Agencies to Address Citrix and Google Chrome Zero-Days Within Set Timeframes
- Google Addresses First Actively Exploited Chrome Zero-Day Vulnerability of 2024
Latest News
- Google Patches Two Zero-Day Vulnerabilities in Pixel Phones Exploited by Forensic Firms
- Mispadu Banking Trojan Spreads Across Europe, Compromising Thousands of Credentials
- Binarly Introduces Free Online Scanner to Detect Linux Backdoor
- Malicious Code in XZ Utils for Linux Enables Remote Code Execution
- Intricate Supply Chain Attack Implants Backdoor in XZ Utils
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.