Google recently patched seven Chrome browser vulnerabilities, including two zero-days actively exploited during the Pwn2Own Vancouver 2024 hacking contest. These zero-days were:
CVE-2024-2887: A type confusion flaw in WebAssembly, exploited by Manfred Paul for remote code execution (RCE) against Chrome and Edge.
CVE-2024-2886: A use-after-free vulnerability in WebCodecs, exploited by Seunghyun Lee for RCE against Chrome and Edge.
Google released fixes in Chrome version 123.0.6312.86/.87 for Windows, Mac, and Linux. This swift patching contrasts with the typical 90-day window vendors have after Pwn2Own demonstrations before details are publicly disclosed.
Mozilla also patched Firefox zero-days exploited at Pwn2Own. In January, Google patched another actively exploited Chrome zero-day (CVE-2024-0519).
The Pwn2Own 2024 Vancouver competition saw researchers earn over $1 million for demonstrating zero-day exploits. Manfred Paul was the top winner, taking down Safari, Chrome, and Edge.
