Chrome Zero-Day Vulnerability Exploited At Pwn2Own : Patch Now

Google fixed three vulnerabilities in the Chrome browser on Tuesday, along with another zero-day exploit that was exploited during the Pwn2Own Vancouver 2024 hacking contest.

Google recently fixed two more zero-day vulnerabilities that were exploited during the Pwn2Own hacking competition.

Palo Alto Networks’ Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) reported the vulnerability identified as CVE-2024-3159 on March 22, 2024, during Pwn2Own 2024

Both of them received $42,500 and 9 Master of Pwn points for successfully showcasing their attack against Microsoft Edge and Google Chrome.

Google has fixed the vulnerabilities in the Google Chrome Stable channel to 123.0.6312.105/.106/.107 for Windows and Mac and 123.0.6312.105 for Linux. The update will be rolled out in the upcoming days and weeks.

Specifics Of Zero-Day Flaw Addressed – CVE-2024-3159

The CVE-2024-3159 vulnerability is an out-of-bounds memory access in the V8 JavaScript engine. 

By deceiving the victim into visiting a specially created HTML page, a remote attacker can exploit this vulnerability and obtain access to data that is beyond the memory buffer, so causing heap corruption. 

The exploitation of vulnerability may cause a crash or the exposing of sensitive data.

On the second day of Pwn2Own, security researchers Edouard Bochin and Tao Yan from Palo Alto Networks demonstrated the zero-day.

Other Security Flaws Addressed

Google also fixed inappropriate implementation in V8, which has been identified as CVE-2024-3156. 

Following Zhenghang Xiao’s (@Kipreyyy) disclosure of the issue, Google granted a reward of $7,000.

CVE-2024-3158, Use after free in Bookmarks, was also fixed by Google. After undoingfish reported the issue, Google offered $3000 as a reward.

How To Update?

To view the most recent version on desktop devices, Google Chrome users can navigate to Menu > Help > About Google Chrome or type chrome://settings/help into the address bar. 

The browser looks for updates as soon as the website is accessed; it downloads and installs any that it finds. It ought to detect and install the latest version.

To finish the update, the browser must be restarted.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed”, Google said.

Google patched multiple Chrome browser vulnerabilities at the end of March, including two zero-day vulnerabilities that were disclosed during the Pwn2Own 2024. These vulnerabilities are identified as CVE-2024-2886 and CVE-2024-2887.

Mozilla also addresses two zero-day vulnerabilities tracked as CVE-2024-29944 and CVE-2024-29943 that were recently exploited by Manfred Paul (@_manfp) at the Pwn2Own hacking contest in the Firefox web browser.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.