In a significant move to bolster browser security, Google has recently patched seven vulnerabilities in its Chrome browser, including two zero-day exploits that were highlighted during the Pwn2Own Vancouver 2024 hacking contest.
This update underscores the ongoing battle against cyber threats and the importance of maintaining up-to-date security measures for internet users worldwide.
The Pwn2Own contest, a platform for ethical hackers to demonstrate their skills by exploiting vulnerabilities in widely used software, saw researchers successfully exploiting two critical zero-day vulnerabilities in Google Chrome.
These vulnerabilities, identified as a Type Confusion in WebAssembly (CVE-2024-2887) and a Use After Free in WebCodecs (CVE-2024-2886), allowed attackers to execute arbitrary code through crafted HTML pages, posing a significant risk to Chrome users.
The Type Confusion vulnerability (CVE-2024-2887) was exploited by researcher Manfred Paul, who received a $42,500 reward for his discovery on the first day of the contest.
This flaw could allow a remote attacker to run arbitrary code via a specially crafted HTML page, leading to potential exploitation.
On the other hand, the Use After Free vulnerability in WebCodecs (CVE-2024-2886) was demonstrated by KAIST Hacking Lab’s Seunghyun Lee, earning him $85,000 and nine Master of Pwn points.
This vulnerability also allowed for arbitrary read/write operations by a remote attacker through a crafted HTML page.
Details Of The Zero-Days Flaws Addressed
In addition to these zero-day exploits, Google addressed other security issues in its latest update.
Among them was a critical Use After Free vulnerability in ANGLE (CVE-2024-2883), reported by Cassidy Kim, who was awarded a $10,000 bounty.
This flaw could potentially lead to heap corruption through a crafted HTML page.
Another high-severity Use After Free issue in Dawn (CVE-2024-2885) was also patched, although the details of the reward for this discovery were not disclosed.
To safeguard against these vulnerabilities, Google has updated the Chrome Stable channel to versions 123.0.6312.86/.87 for Windows and Mac, and 123.0.6312.86 for Linux.
The rollout of this update is expected to occur over the coming days and weeks, ensuring that users are protected against these identified threats.
How To Update?
Users are advised to check their Chrome browser version and update it if necessary.
This can be done by navigating to Menu > Help > About Google Chrome or typing chrome://settings/help into the address bar.
The browser will automatically search for and install any available updates, requiring a restart to complete the process.
Google has emphasized the importance of this update, stating that access to bug details and links may remain restricted until a majority of users have applied the fix.
This precautionary measure aims to prevent the exploitation of these vulnerabilities by malicious actors.
Interestingly, Mozilla also took swift action to patch two zero-day vulnerabilities (CVE-2024-29944 and CVE-2024-29943) exploited by Manfred Paul at the Pwn2Own contest in the Firefox web browser.
This move further highlights the collaborative effort within the cybersecurity community to address and mitigate threats as they arise.
The recent patches by Google and Mozilla serve as a critical reminder of the ever-evolving nature of cyber threats and the need for continuous vigilance and updates to protect users’ security and privacy online.
As cyber attackers become more sophisticated, the role of ethical hackers in identifying and reporting vulnerabilities becomes increasingly vital in maintaining the integrity of widely used software and systems.
Also Read: Unveiling Coper/Octo: A New Threat in Mobile Security
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.