This week, Google fixed seven vulnerabilities in the Chrome browser, including two zero-day problems exploited by experts during the Pwn2Own Vancouver 2024 hacking competition.
The first vulnerability, CVE-2024-2887, is a type confusion issue in WebAssembly (Wasm). This bug was demonstrated on the first day of Pwn2Own by researcher Manfred Paul, who used it as part of a remote code execution (RCE) exploit using a malicious HTML page. The specialist used this bug against both Chrome and Edge.
Advertisement
The second 0-day received the ID CVE-2024-2886 and was used by KAIST Hacking Lab specialists during the second day of Pwn2Own.
This issue is described as a use-after-free bug in the WebCodecs API, which is used by web applications to encode and decode audio and video content. The vulnerability allows remote attackers to perform arbitrary read/write via malicious HTML pages. CVE-2024-2886 was also used for remote code execution in Google Chrome and Microsoft Edge.
Google fixed both vulnerabilities in the stable version of Google Chrome: 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 for Linux users, which will be distributed worldwide in the coming days.
Let us recall that earlier Mozilla developers also fixed two zero-day vulnerabilities in Firefox, discovered by Manfred Pohl: out-of-bounds entry (CVE-2024-29943) and escape from the sandbox (CVE-2024-29944).
Advertisement
At the same time, it took Mozille only one day to release patches, and Google five days, which is an excellent result. Typically, vendors are slow to release fixes for bugs demonstrated at Pwn2Own because they have 90 days before Pwn2Own organizers, the Trend Micro Zero Day Initiative, publicly disclose details of the vulnerabilities.