Google Chrome Zero-Day Patched Post-Pwn2Own March Exploits

by | Apr 4, 2024 | News

Post Views: 806

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

Google has successfully addressed another zero-day vulnerability discovered in the Chrome browser. Tracked as CVE-2024-3159, this high-severity flaw, exploited by security researchers during the recent Pwn2Own hacking contest, posed significant risks to user data and system integrity.

The vulnerability, attributed to an out-of-bounds read weakness in the Chrome V8 JavaScript engine, allowed remote attackers to execute arbitrary code via crafted HTML pages. By exploiting heap corruption, attackers could gain unauthorized access to data beyond the memory buffer, potentially exposing sensitive information or triggering browser crashes.

During the Pwn2Own Vancouver 2024 event, Palo Alto Networks security researchers Edouard Bochin and Tao Yan showcased a double-tap exploit leveraging CVE-2024-3159 to execute arbitrary code on both Google Chrome and Microsoft Edge browsers. Their demonstration earned them a notable $42,500 award and underscored the urgency of addressing such vulnerabilities.

Confirmed! @le_douds and @Ga1ois from Palo Alto used an OOB Read plus a novel technique for defeating V8 hardening to get arbitrary code execution in the renderer. The were aboe to exploit #Chrome and #Edge with the same bugs, earning $42,500 and 9 Master of Pwn points. #Pwn2Own pic.twitter.com/EhFIEntnPw
— Zero Day Initiative (@thezdi) March 21, 2024

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Google swiftly patched the zero-day in the Chrome stable channel, releasing version 123.0.6312.105/.106/.107 for Windows and Mac, and version 123.0.6312.105 for Linux. These updates are set to roll out globally in the coming days, ensuring users are protected against potential exploitation.

This latest fix follows Google’s recent efforts to address vulnerabilities exploited at Pwn2Own Vancouver 2024, including two additional zero-days: a type confusion weakness (CVE-2024-2887) in the WebAssembly (Wasm) standard and a use-after-free (UAF) weakness in the WebCodecs API (CVE-2024-2886). By swiftly releasing patches, Google demonstrates its commitment to enhancing browser security and safeguarding users from emerging threats.

Trending: Understanding PTaaS and SOC

In total, Google has patched four Chrome zero-days this year, addressing critical vulnerabilities that could have compromised user privacy and system integrity. With these proactive measures, Google aims to maintain the trust and security of its Chrome browser ecosystem amidst evolving cyber threats.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link