Another Chrome bug cost specialists $42,500.
Google has fixed a critical vulnerability in the Chrome browser that was discovered during the Pwn2Own 2024 competition in Vancouver.
Vulnerability CVE-2024-3159 is related to an Out-of-bounds read error in the JavaScript V8 engine and can lead to unauthorized access to data or browser crashes.
A remote attacker can take advantage of the vulnerability by using the generated HTML pages to gain access to data outside the memory buffer through heap corruption, which can reveal confidential information or cause a crash.
Researchers from Palo Alto Networks Eduard Boshin and Tao Yang demonstrated exploiting the vulnerability in a competition, successfully bypassing the V8 engine protection with a sophisticated attack, which allowed them to execute arbitrary code in Google Chrome and Microsoft Edge browsers. For their work, the specialists received an award in the amount of $42,500.
Google has promptly released an update for the stable version of Google Chrome (versions 123.0.6312.105/.106/.107 for Windows and Mac, and 123.0.6312.105 for Linux), which will be distributed worldwide in the coming days.
Earlier, Google fixed 4 more vulnerabilities discovered at Pwn2Own 2024, including the actively exploited zero-day vulnerability. On the first day of the Pwn2Own competition in Vancouver in 2024, participants demonstrated 19 zero-day vulnerabilities in Windows 11, Tesla cars, and Ubuntu. For their findings, experts received awards totaling $732,500 and a Tesla Model 3 car. After demonstrating vulnerabilities at Pwn2Own, manufacturers are given 90 days to create and release security patches for all detected flaws before they are published.
Google has fixed a critical vulnerability in the Chrome browser that was discovered during the Pwn2Own 2024 competition in Vancouver.
Vulnerability CVE-2024-3159 is related to an Out-of-bounds read error in the JavaScript V8 engine and can lead to unauthorized access to data or browser crashes.
A remote attacker can take advantage of the vulnerability by using the generated HTML pages to gain access to data outside the memory buffer through heap corruption, which can reveal confidential information or cause a crash.
Researchers from Palo Alto Networks Eduard Boshin and Tao Yang demonstrated exploiting the vulnerability in a competition, successfully bypassing the V8 engine protection with a sophisticated attack, which allowed them to execute arbitrary code in Google Chrome and Microsoft Edge browsers. For their work, the specialists received an award in the amount of $42,500.
Google has promptly released an update for the stable version of Google Chrome (versions 123.0.6312.105/.106/.107 for Windows and Mac, and 123.0.6312.105 for Linux), which will be distributed worldwide in the coming days.
Earlier, Google fixed 4 more vulnerabilities discovered at Pwn2Own 2024, including the actively exploited zero-day vulnerability. On the first day of the Pwn2Own competition in Vancouver in 2024, participants demonstrated 19 zero-day vulnerabilities in Windows 11, Tesla cars, and Ubuntu. For their findings, experts received awards totaling $732,500 and a Tesla Model 3 car. After demonstrating vulnerabilities at Pwn2Own, manufacturers are given 90 days to create and release security patches for all detected flaws before they are published.
