Google fixes Chrome zero-day exploited at Pwn2Own 2024

Google has patched another zero-day vulnerability in its Chrome web browser, which was recently exploited at the Pwn2Own hacking competition in March. The vulnerability, tracked as CVE-2024-3159, is an out-of-bounds memory access flaw in the V8 JavaScript engine. During the Pwn2Own 2024 event held in Vancouver, security researchers Edouard Bochin and Tao Yan from Palo Alto Networks demonstrated the vulnerability and successfully exploited it. Their demonstration earned the researchers a cash prize of $42,500 and 9 Master of Pwn points.

The CVE-2024-3159 vulnerability could allow a remote attacker to trick a victim into visiting a maliciously crafted HTML page. This could lead to unauthorized access to data beyond the memory buffer, causing heap corruption and potentially resulting in the disclosure of sensitive information or a crash. The Chrome development team has addressed the issue with the release of Chrome 123.0.6312.105/.106/.107 for Windows and Mac, and 123.0.6312.105 for Linux. These updates will be rolled out over the coming days/weeks.

In addition to the CVE-2024-3159 zero-day, Google also patched several other vulnerabilities, including two high-severity issues. The first is an inappropriate implementation in V8, tracked as CVE-2024-3156, and was reported by Zhenghang Xiao (@Kipreyyy) on March 12, 2024. The second is a use-after-free flaw in Bookmarks, identified as CVE-2024-3158, and was reported by undoingfish on March 17, 2024.

Pwn2Own is a popular hacking competition where security researchers and experts showcase their expertise and abilities to exploit vulnerabilities in popular software and applications. The event allows participants to demonstrate various exploits and provides insight into the current state of cybersecurity and potential vulnerabilities. These vulnerabilities can then be patched by developers to enhance the security of the software. Google has previously addressed other Chrome zero-days exploited at Pwn2Own events, including CVE-2024-2886 and CVE-2024-2887, which were both demonstrated at Pwn2Own Vancouver 2024.

It's worth noting that CVE-2024-3159 is the third Chrome zero-day that Google has patched in the last two months, highlighting the company's efforts to enhance the browser's security and protect users from potential attacks. These vulnerabilities are dangerous because they are unknown to developers and cannot be protected against. It is only through the diligence of researchers and companies like Google that these vulnerabilities are discovered and patched to protect users from harmful exploitation.

Read more