Google Addresses Additional Chrome Zero-Day Exploited at Pwn2Own

April 3, 2024

Google has patched a zero-day vulnerability in its Chrome browser, CVE-2024-3159, discovered during last month's Pwn2Own hacking contest. The flaw, a high-severity issue, was due to an out-of-bounds read problem in the V8 JavaScript engine. This vulnerability could be exploited by remote attackers using specially crafted HTML pages, potentially gaining access to sensitive data or causing the browser to crash.

Security researchers Edouard Bochin and Tao Yan from Palo Alto Networks demonstrated the exploit on the second day of Pwn2Own Vancouver 2024, successfully bypassing V8 hardening. Their exploit allowed them to execute arbitrary code on both Google Chrome and Microsoft Edge, earning them a $42,500 prize.

Google has now addressed the zero-day in the stable channel version of Google Chrome 123.0.6312.105/.106/.107 for Windows and Mac, and 123.0.6312.105 for Linux. These updates will be rolled out globally in the coming days.

A week prior, Google patched two more Chrome zero-days exploited at the Pwn2Own Vancouver 2024 event. The first, CVE-2024-2887, was a high-severity type confusion weakness in the WebAssembly (Wasm) open standard. The second, CVE-2024-2886, was a use-after-free weakness in the WebCodecs API. Both were exploited to gain remote code execution on both Chrome and Edge browsers.

Mozilla also patched two Firefox zero-days exploited during the same competition. Both Google and Mozilla released security patches within a week, although vendors typically take longer to fix Pwn2Own zero-days as Trend Micro's Zero Day Initiative publicly discloses bug details after 90 days.

In total, Google has patched four Chrome zero-days this year. The fourth, CVE-2024-0519, was addressed in January and was being actively exploited to crash unpatched browsers or access sensitive data due to an out-of-bounds memory access weakness in the V8 JavaScript engine.

On Tuesday, Google also fixed two Android zero-days that were being exploited by forensic firms to unlock Pixel phones without a PIN and gain access to the data stored within them.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.