2 Chrome Zero-Days Exploited At Pwn2Own 2024 : Patch Now

Google patched seven vulnerabilities in the Chrome browser on Tuesday, including two zero-day exploits that were exploited at the Pwn2Own Vancouver 2024 hacking contest.

Researchers at Pwn2Own challenge exploited the zero-days tagged as Type Confusion in WebAssembly (CVE-2024-2887) and Use after free in WebCodecs (CVE-2024-2886).

Google has fixed the vulnerabilities in the Google Chrome Stable channel to 123.0.6312.86/.87 for Windows and Mac, and 123.0.6312.86 for Linux.

The update will be rolled out in the upcoming days and weeks.

Details Of The Zero-Days Flaws Addressed

The competition’s winner, researcher Manfred Paul (@_manfp), exploited a high-severity Type Confusion flaw in WebAssembly identified as CVE-2024-2887 and received a $42,500 award for it on the first day of Pwn2Own contest.

Download Free CISO’s Guide to Avoiding the Next Breach

Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

• Understand the importance of a zero trust strategy
• Complete Network security Checklist
• See why relying on a legacy VPN is no longer a viable security strategy
• Get suggestions on how to present the move to a cloud-based network security solution
• Explore the advantages of converged network security over legacy approaches
• Discover the tools and technologies that maximize network security

Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

Download Perimeter 81 Free PDF Guide

Prior to Google Chrome 123.0.6312.86, type confusion in WebAssembly allowed a remote attacker to run arbitrary code through a crafted HTML page.

KAIST Hacking Lab’s Seunghyun Lee (@0x10n) exploited a high-severity use-after-free in WebCodecs tracked as CVE-2024-2886; he received $9 Master of Pwn points and $85,000 on the second day of Pwn2Own contest.

Prior to Google Chrome 123.0.6312.86, use after free in WebCodecs allowed a remote attacker to carry out arbitrary read/write via a crafted HTML page. 

Other Security Issues Addressed

A critical use after free in ANGLE has been tracked as CVE-2024-2883. Cassidy Kim (@cassidy6564) reported the issue, and Google awarded her a $10,000 reward for it.

The vulnerability enabled a remote attacker to possibly exploit heap corruption using a crafted HTML page.

A high severity Use after free in Dawn identified as CVE-2024-2885. Researcher Wgslfuzz reported the problem. Google Chrome did not provide the details about the reward for this vulnerability.

By using a specially designed HTML page, the vulnerability might have allowed a remote attacker to take advantage of heap corruption.

How To Update?

To view the most recent version on desktop devices, Google Chrome users can navigate to Menu > Help > About Google Chrome or type chrome://settings/help into the address bar. 

The browser looks for updates as soon as the website is accessed; it downloads and installs any that it finds. It ought to detect and install the latest version.

To finish the update, the browser must be restarted.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix.

We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed”, Google said.

There is no indication from Google that any of these vulnerabilities are being used in the wild.

Google recommends that users update to the most recent version of Google Chrome to prevent exploiting vulnerabilities.

Notably, Mozilla also addresses two zero-day vulnerabilities tracked as CVE-2024-29944 and CVE-2024-29943 that were recently exploited by Manfred Paul (@_manfp) at the Pwn2Own hacking contest in the Firefox web browser.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.