Pwn2Own Vancouver 2024: Google fixes 7 security vulnerabilities, including two zero-days

The fixes were released with version 123.0.6312.86/.87 for Windows & Mac and 123.0.6312.86 for Linux

Reading time icon 2 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Pwn2Own Vancouver 2024: Google fixes 7 security vulnerabilities, including two zero-days

Recently, during the Pwn2Own Vancouver 2024 hacking competition, Google fixed a total of seven security vulnerabilities in the Chrome web browser. Let’s talk about the critical ones.

The first zero-day is CVE-2024-2887, a high-severity Type Confusion weakness in the WebAssembly (Wasm) open standard.

Manfred Paul put this vulnerability on public view on the Pwn2Own’s first day as a part of a double-tap remote code execution (RCE) exploit, which uses a crafted HTML page and targets both Edge and Chrome.

The second one is CVE-2024-2886. KAIST Hacking Lab’s Seunghyun Lee exploited this vulnerability on the second day of the CanSecWest Pwn2Own contest.

This one is described as a Use After Free (UAF) weakness in the WebCodecs API, which web apps utilize to encode/decode audio and video content. Hackers use it to perform arbitrary reads/writes remotely through crafted HTML pages.

Seunghyun Lee also used CVE-2024-2886 to gain remote code execution utilizing a single exploit to attack both Google Chrome and Microsoft Edge.

Google has fixed both zero-day threats in the Google Chrome stable channel. With version 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 for Linux, hackers can no longer target your device using these vulnerabilities. The update will be available globally soon.

Mozilla Firefox also fixed two critical zero-day vulnerabilities, one in Firefox 124.0.1 and one in Firefox ESR 115.9.1, after Manfred Paul spotted and exploited them at Pwn2Own Vancouver 2024.

Mozilla fixed these issues in a single day, and Google took five days to patch up these vulnerabilities. This is quite quick, as vendors have 90 days to fix them until Trend Micro Zero Day Initiative discloses the bug details publicly.

In January 2024, Google and Microsoft patched up another zero-day in Chrome and Edge, respectively. It can gain access to users’ personal information including social media credentials and banking details, and crash unpatched browsers because of out-of-bounds memory access weakness in the Chrome V8 JavaScript engine.

More about the topics: Chrome

User forum

0 messages