Thursday, December 12, 2024
HomeChrome2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Published on

SIEM as a Service

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the prestigious Pwn2Own 2024 hacking competition.

The update, which affects Chrome users on Windows, Mac, and Linux, elevates the browser version to 123.0.6312.86/.87 for Windows and Mac, and 123.0.6312.86 for Linux, with the rollout expected to reach users progressively over the coming days and weeks.

Security Fixes and Rewards

Google’s latest security update includes fixes for seven vulnerabilities, with a special emphasis on those discovered by external researchers.

- Advertisement - SIEM as a Service

The tech giant has a longstanding tradition of rewarding these contributors for identifying and reporting bugs.

This practice enhances Chrome’s security and fosters a collaborative relationship between the company and the cybersecurity community.

Critical CVE-2024-2883: Use After Free in ANGLE

One of the most critical issues addressed in this update is CVE-2024-2883, a use-after-free vulnerability in ANGLE, a cross-platform graphics engine abstraction layer used by Chrome to improve graphics performance on various platforms.

This vulnerability was reported by Cassidy Kim (@cassidy6564) on March 3, 2024, and has been rewarded with a $10,000 bounty. Use-after-free vulnerabilities can lead to arbitrary code execution, making them particularly dangerous.

High CVE-2024-2885: Use After Free in Dawn

Another significant vulnerability patched in this release is CVE-2024-2885, a high-severity use-after-free issue in Dawn, an open-source and cross-platform implementation of the WebGPU standard.

This bug was reported by an entity known as Fuzz on March 11, 2024.

The severity of this vulnerability underscores the importance of timely updates to mitigate potential risks.

High CVE-2024-2886 and CVE-2024-2887: Exploits Unveiled at Pwn2Own 2024

However, the spotlight shines on two high-severity vulnerabilities, CVE-2024-2886 and CVE-2024-2887, unveiled during the Pwn2Own 2024 competition.

CVE-2024-2886, reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, is a use-after-free vulnerability in WebCodecs, a component critical for efficient media content encoding and decoding.

CVE-2024-2887, reported by Manfred Paul, involves type confusion in WebAssembly, a binary instruction format for a stack-based virtual machine that enables high-performance applications on the web.

These discoveries at Pwn2Own highlight the event’s role in identifying and mitigating potential threats before they can be exploited maliciously.

Ongoing Security Efforts

Google also acknowledges the contributions of its internal security team, whose ongoing efforts have led to various fixes identified through internal audits, fuzzing, and other initiatives.

The company’s use of tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL is crucial in detecting and addressing security bugs.

Chrome users are urged to update their browsers immediately to protect against these vulnerabilities.

For those interested in switching release channels or reporting new issues, Google provides resources and a community help forum for assistance and learning about common issues.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...