Pwn2Own Vancouver 2024: Google fixes 7 security vulnerabilities, including two zero-days

The fixes were released with version 123.0.6312.86/.87 for Windows & Mac and 123.0.6312.86 for Linux

2 min. read

Published onMarch 28, 2024

published onMarch 28, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Recently, during the Pwn2Own Vancouver 2024 hacking competition, Google fixed a total of seven security vulnerabilities in the Chrome web browser. Let’s talk about the critical ones.

The first zero-day is CVE-2024-2887, a high-severityType Confusionweakness in the WebAssembly (Wasm) open standard.

Manfred Paul put this vulnerability on public view on the Pwn2Own’s first day as a part of a double-tap remote code execution (RCE) exploit, which uses a crafted HTML page and targets both Edge and Chrome.

The second one is CVE-2024-2886. KAIST Hacking Lab’s Seunghyun Lee exploited this vulnerability on the second day of the CanSecWest Pwn2Own contest.

This one is described as a Use After Free (UAF) weakness in the WebCodecs API, which web apps utilize to encode/decode audio and video content. Hackers use it to perform arbitrary reads/writes remotely through crafted HTML pages.

Seunghyun Lee also used CVE-2024-2886 to gain remote code execution utilizing a single exploit to attack both Google Chrome and Microsoft Edge.

Google has fixed both zero-day threats in the Google Chrome stable channel. With version 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 for Linux, hackers can no longer target your device using these vulnerabilities. The update will be available globally soon.

Mozilla Firefox also fixedtwo critical zero-day vulnerabilities, one in Firefox 124.0.1 and one in Firefox ESR 115.9.1, after Manfred Paul spotted and exploited them at Pwn2Own Vancouver 2024.

Mozilla fixed these issues in a single day, and Google took five days to patch up these vulnerabilities. This is quite quick, as vendors have 90 days to fix them until Trend Micro Zero Day Initiative discloses the bug details publicly.

In January 2024, Google and Microsoft patched up another zero-day in Chrome andEdge, respectively. It can gain access to users’ personal information including social media credentials and banking details, and crash unpatched browsers because of out-of-bounds memory access weakness in the Chrome V8 JavaScript engine.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Pwn2Own Vancouver 2024: Google fixes 7 security vulnerabilities, including two zero-days#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Pwn2Own Vancouver 2024: Google fixes 7 security vulnerabilities, including two zero-days