Chrome Zero-Day Vulnerability Exploited At Pwn2Own : Patch Now
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Google fixed three vulnerabilities in the Chrome browser on Tuesday, along with another zero-day exploitthat was exploitedduring the Pwn2Own Vancouver 2024 hacking contest.
Google recently fixed two more zero-day vulnerabilities that were exploited during the Pwn2Own hacking competition.
Palo Alto Networks’ Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) reported the vulnerability identified as CVE-2024-3159 on March 22, 2024, during Pwn2Own 2024.
Both of them received $42,500 and 9 Master of Pwn points for successfully showcasing their attack against Microsoft Edge and Google Chrome.
Confirmed! @le_douds and @Ga1ois from Palo Alto used an OOB Read plus a novel technique for defeating V8 hardening to get arbitrary code execution in the renderer. The were aboe to exploit #Chrome and #Edge with the same bugs, earning $42,500 and 9 Master of Pwn points. #Pwn2Own pic.twitter.com/EhFIEntnPw
— Zero Day Initiative (@thezdi) March 21, 2024
Google has fixed the vulnerabilities in the Google Chrome Stable channel to 123.0.6312.105/.106/.107 for Windows and Mac and 123.0.6312.105 for Linux. The update will be rolled out in the upcoming days and weeks.
Specifics Of Zero-Day Flaw Addressed – CVE-2024-3159
The CVE-2024-3159 vulnerability is an out-of-bounds memory access in the V8 JavaScript engine.
The exploitation of vulnerability may cause a crash or the exposing of sensitive data.
On the second day of Pwn2Own, security researchers Edouard Bochin and Tao Yan from Palo Alto Networks demonstrated the zero-day.
Other Security Flaws Addressed
Google also fixed inappropriate implementation in V8, which has been identified as CVE-2024-3156.
Following Zhenghang Xiao’s (@Kipreyyy) disclosure of the issue, Google granted a reward of $7,000.
CVE-2024-3158, Use after free in Bookmarks, was also fixed by Google. After undoingfish reported the issue, Google offered $3000 as a reward.
How To Update?
To view the most recent version on desktop devices, Google Chrome users can navigate to Menu > Help > About Google Chrome or type chrome://settings/help into the address bar.
The browser looks for updates as soon as the website is accessed; it downloads and installs any that it finds. It ought to detect and install the latest version.
To finish the update, the browser must be restarted.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed”, Google said.
Google patched multiple Chrome browser vulnerabilities at the end of March, including two zero-day vulnerabilities that were disclosed during the Pwn2Own 2024. These vulnerabilities are identified as CVE-2024-2886 and CVE-2024-2887.
Mozilla also addresses two zero-day vulnerabilities tracked as CVE-2024-29944 and CVE-2024-29943 that were recently exploited by Manfred Paul (@_manfp) at the Pwn2Own hacking contest in the Firefox web browser.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
#Bug_Bounty #Cyber_Security_News #Vulnerability #cyber_security_news #Cybersecurity_Patch #Pwn2Own_2024
Оригинальная версия на сайте:
Chrome Zero-Day Vulnerability Exploited At Pwn2Own : Patch Now
Author: Guru BaranGoogle fixed three vulnerabilities in the Chrome browser on Tuesday, along with another zero-day exploitthat was exploitedduring the Pwn2Own Vancouver 2024 hacking contest.
Google recently fixed two more zero-day vulnerabilities that were exploited during the Pwn2Own hacking competition.
Palo Alto Networks’ Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) reported the vulnerability identified as CVE-2024-3159 on March 22, 2024, during Pwn2Own 2024.
Both of them received $42,500 and 9 Master of Pwn points for successfully showcasing their attack against Microsoft Edge and Google Chrome.
Confirmed! @le_douds and @Ga1ois from Palo Alto used an OOB Read plus a novel technique for defeating V8 hardening to get arbitrary code execution in the renderer. The were aboe to exploit #Chrome and #Edge with the same bugs, earning $42,500 and 9 Master of Pwn points. #Pwn2Own pic.twitter.com/EhFIEntnPw
— Zero Day Initiative (@thezdi) March 21, 2024
Google has fixed the vulnerabilities in the Google Chrome Stable channel to 123.0.6312.105/.106/.107 for Windows and Mac and 123.0.6312.105 for Linux. The update will be rolled out in the upcoming days and weeks.
Specifics Of Zero-Day Flaw Addressed – CVE-2024-3159
The CVE-2024-3159 vulnerability is an out-of-bounds memory access in the V8 JavaScript engine.
The exploitation of vulnerability may cause a crash or the exposing of sensitive data.
On the second day of Pwn2Own, security researchers Edouard Bochin and Tao Yan from Palo Alto Networks demonstrated the zero-day.
Other Security Flaws Addressed
Google also fixed inappropriate implementation in V8, which has been identified as CVE-2024-3156.
Following Zhenghang Xiao’s (@Kipreyyy) disclosure of the issue, Google granted a reward of $7,000.
CVE-2024-3158, Use after free in Bookmarks, was also fixed by Google. After undoingfish reported the issue, Google offered $3000 as a reward.
How To Update?
To view the most recent version on desktop devices, Google Chrome users can navigate to Menu > Help > About Google Chrome or type chrome://settings/help into the address bar.
The browser looks for updates as soon as the website is accessed; it downloads and installs any that it finds. It ought to detect and install the latest version.
To finish the update, the browser must be restarted.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed”, Google said.
Google patched multiple Chrome browser vulnerabilities at the end of March, including two zero-day vulnerabilities that were disclosed during the Pwn2Own 2024. These vulnerabilities are identified as CVE-2024-2886 and CVE-2024-2887.
Mozilla also addresses two zero-day vulnerabilities tracked as CVE-2024-29944 and CVE-2024-29943 that were recently exploited by Manfred Paul (@_manfp) at the Pwn2Own hacking contest in the Firefox web browser.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
#Bug_Bounty #Cyber_Security_News #Vulnerability #cyber_security_news #Cybersecurity_Patch #Pwn2Own_2024
Оригинальная версия на сайте:
