Malware & Threats

Chrome Update Patches Zero-Day Vulnerabilities Exploited at Pwn2Own

Google ships a security-themed Chrome browser refresh to fix flaws exploited at the CanSecWest Pwn2Own hacking contest.

Published

Chrome security updates

Google on Tuesday released a Chrome browser security update to address seven vulnerabilities, including four reported by external researchers.

The most severe of the externally reported flaws is a use-after-free bug in ANGLE, the open source cross-platform graphics engine used in Chrome and other popular browsers.

The issue is tracked as CVE-2024-2883 and Google notes in its advisory that the researcher who discovered the bug has received a $10,000 bug bounty reward.

According to the advisory, the three other defects reported by external researchers are all high-severity vulnerabilities.

The first is CVE-2024-2885, a use-after-free issue in Dawn. The remaining two flaws, tracked as CVE-2024-2886 and CVE-2024-2887, are zero-day vulnerabilities that were exploited and reported last week at the Pwn2Own Vancouver 2024 hacking contest. No additional bounty rewards, aside from those earned at the competition, were handed out for these issues.

CVE-2024-2886, a use-after-free in WebCodecs, was demonstrated by Seunghyun Lee of KAIST Hacking Lab, who exploited two such issues in the browser at the hacking contest and earned a total of $145,000 in rewards.

CVE-2024-2887 is a Type Confusion bug in WebAssembly, exploited on the first day of Pwn2Own by security researcher Manfred Paul, who earned a $42,500 reward for it.

Paul also demonstrated Safari and Firefox vulnerabilities at the hacking contest, earning a total of over $200,000 in rewards and winning the competition. Mozilla was first to release patches for the zero-day demonstrated at Pwn2Own.

Advertisement. Scroll to continue reading.

The latest Chrome iteration is now rolling out as version 123.0.6312.86/.87 for Windows and macOS, and as version 123.0.6312.86 for Linux.

While Google makes no mention of any of these vulnerabilities being exploited in the wild, users are advised to update their browsers as soon as possible.

Related: Despite Surge in Zero-Days, Exploit Mitigations Are Working

Related: Chrome 123, Firefox 124 Patch Serious Vulnerabilities

Related: Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities

Related: Chrome’s Standard Safe Browsing Now Has Real-Time URL Protection

In this article:, ,

Related Content

MITRE hacked

Nation-State

MITRE Hack: China-Linked Group Breached Systems in December 2023

MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.

21 hours ago

Cloud Security

Island Secures $175M Investment as Enterprise Browser Startups Defy Tech Giants

Despite competitive pressures from industry behemoths like Microsoft and Google, investors are still betting big on startups in the specialized enterprise browser space.

April 30, 2024

Malware & Threats

Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day

More than 1,400 CrushFTP servers remain vulnerable to an actively exploited zero-day for which PoC has been published.

April 26, 2024

Malware & Threats

Palo Alto Networks Releases Fixes for Firewall Zero-Day as Attribution Attempts Emerge

Palo Alto Networks has started releasing hotfixes for the firewall zero-day CVE-2024-3400, which some have linked to North Korea’s Lazarus. 

April 15, 2024

Malware & Threats

Microsoft Patches Two Zero-Days Exploited for Malware Delivery

Microsoft patches CVE-2024-29988 and CVE-2024-26234, two zero-day vulnerabilities exploited by threat actors to deliver malware.

April 10, 2024

Government

Ivanti CEO Vows Cybersecurity Makeover After Zero-Day Blitz

Ivanti releases a carefully scripted YouTube video and an open letter from chief executive Jeff Abbott vowing to fix the entire security organization.

April 4, 2024

Vulnerabilities

Google Patches Chrome Flaw That Earned Hackers $42,500 at Pwn2Own

Google pushes a new Chrome update to patch another zero-day vulnerability demonstrated at a hacking contest.

April 3, 2024

Malware & Threats

Google Report: Despite Surge in Zero-Day Attacks, Exploit Mitigations Are Working

Despite a surge in zero-day attacks, data shows that security investments into OS and software exploit mitigations are forcing attackers to find new attack...

March 27, 2024

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version