Urgent Chrome Fix: Patch Addresses Pwn2Own Exploit
Google has remedied a critical vulnerability in the Chrome browser, identified during the Pwn2Own 2024 competition in Vancouver.
The vulnerability, CVE-2024-3159, stems from an out-of-bounds read error in the JavaScript V8 engine, potentially allowing unauthorized data access or causing browser malfunctions.
A remote attacker could exploit this vulnerability by using crafted HTML pages to access data beyond the memory buffer through heap corruption, which could expose sensitive information or crash the system.
Researchers Eduard Bosch and Tao Yan from Palo Alto Networks demonstrated the vulnerability’s exploitation at the contest, successfully circumventing the V8 engine’s defenses with a sophisticated attack, enabling them to execute arbitrary code in Google Chrome and Microsoft Edge browsers. For their achievement, the experts were awarded $42,500.
Google promptly released an update for the stable version of Google Chrome (versions 123.0.6312.105/.106/.107 for Windows and Mac, and 123.0.6312.105 for Linux), which will be distributed globally in the coming days.
Before this, Google had addressed four additional vulnerabilities revealed at Pwn2Own 2024, including an actively exploited zero-day vulnerability. On the first day of the Pwn2Own competition in Vancouver in 2024, participants uncovered 19 zero-day vulnerabilities in Windows 11, Tesla vehicles, and Ubuntu. For their discoveries, the specialists were awarded a total of $732,500 and a Tesla Model 3. Following the demonstration of vulnerabilities at Pwn2Own, manufacturers are given 90 days to develop and release security patches for all identified flaws before they are made public.