On Tuesday, Google addressed seven security flaws in its Chrome browser, including a pair of zero-day vulnerabilities that were highlighted during the 2024 Pwn2Own event in Vancouver.
The initial zero-day, identified as CVE-2024-2887, presents a significant risk through a type confusion issue within the WebAssembly (Wasm) standard. Demonstrated by Manfred Paul on Pwn2Own’s first day, this vulnerability was part of an exploit that achieved remote code execution (RCE) by using a specially crafted HTML page to target both the Chrome and Edge browsers.
The second zero-day, CVE-2024-2886, was leveraged by Seunghyun Lee from the KAIST Hacking Lab on the contest’s second day at CanSecWest’s Pwn2Own event. It involves a use-after-free (UAF) vulnerability in the WebCodecs API, which web applications use for encoding and decoding audio and video. This flaw could let attackers conduct arbitrary data operations through malicious HTML pages.
Using CVE-2024-2886, Lee also managed to execute remote code by employing a single exploit affecting both Google Chrome and Microsoft Edge browsers.
These zero-days were rectified in the stable release of Google Chrome, version 123.0.6312.86/.87 for Windows and Mac, and version 123.0.6312.86 for Linux. The update will be distributed globally in the subsequent days.
Notably, Mozilla also patched a couple of Firefox zero-days that Manfred Paul exploited at the same Pwn2Own Vancouver 2024 event, on the very day they were showcased.
Although Mozilla addressed these issues in a day and Google in five, companies generally allocate time to develop patches for vulnerabilities revealed at Pwn2Own, with a 90-day window before Trend Micro’s Zero Day Initiative makes the bug details public.
Earlier in January, Google also fixed a zero-day vulnerability (CVE-2024-0519) in Chrome that was being actively exploited. This flaw could allow attackers to gather sensitive data or cause crashes in browsers that hadn’t been updated, stemming from an out-of-bounds memory access issue in Chrome’s V8 JavaScript engine.
The Pwn2Own 2024 event in Vancouver concluded on March 22, with security experts being awarded a total of $1,132,500 for uncovering 29 zero-day exploits and exploit chains across two days.