CVE-2024-3159: Google Chrome Zero-Day Exploit Demonstrated at Pwn2Own

Google has released an urgent security update for its Chrome web browser, patching a critical zero-day vulnerability that was successfully exploited during the recent Pwn2Own Vancouver 2024 hacking competition. The flaw, designated CVE-2024-3159, involves an out-of-bounds memory access vulnerability in the V8 JavaScript engine.

Exploit in the Wild

Security researchers Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks demonstrated the working exploit at the competition, highlighting the real-world risks posed by zero-day vulnerabilities. Such flaws are highly prized by attackers as they exist without a known patch, giving hackers the advantage of surprise.

Additional Vulnerabilities Patched

Alongside the zero-day fix, Google addressed two other high-severity vulnerabilities in Chrome:

• CVE-2024-3156: Inappropriate implementation in V8, potentially allowing arbitrary code execution.
• CVE-2024-3158: Use-after-free vulnerability in Bookmarks, opening opportunities for attackers to manipulate browser memory.

Pwn2Own: Exposing Vulnerabilities

The Pwn2Own hacking competition provides a platform for skilled researchers to showcase zero-day exploits against popular software and devices. By disclosing these vulnerabilities responsibly, demonstrations at Pwn2Own help vendors like Google rapidly address weaknesses before they can be widely exploited by malicious actors.

The Pwn2Own Vancouver 2024 event concluded with a staggering $1,132,500 awarded to security researchers over two days. The competition saw the demonstration of 29 zero-day exploits and exploit chains, showcasing the ingenuity and skill of participants.

Why Update Immediately

Given the active exploitation of CVE-2024-3159, it’s crucial for all Chrome users to install the latest update (version 123.0.6312.105/.106/.107 for Windows and Mac and 123.0.6312.105 for Linux) as soon as possible. You can typically update Chrome by going to “Settings” -> “About Chrome”.