March 27, 2024 at 02:47PM
Google fixed two zero-day security vulnerabilities in the Chrome web browser, including type confusion and use-after-free weaknesses exploited during the Pwn2Own Vancouver 2024 hacking competition. The vulnerabilities allowed for remote code execution via crafted HTML pages. The patches were released in Chrome version 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 for Linux users. Mozilla also promptly fixed the Firefox zero-days exploited at the same event.
From the provided meeting notes, I have summarized the following key points:
1. Google patched seven security vulnerabilities in the Chrome web browser, including two zero-day exploits demonstrated at the Pwn2Own Vancouver 2024 hacking competition.
2. The two zero-days were tracked as CVE-2024-2887 and CVE-2024-2886, with the former being a type confusion weakness in WebAssembly and the latter being a use-after-free weakness in the WebCodecs API.
3. Manfred Paul and the KAIST Hacking Lab’s Seunghyun Lee demonstrated the exploitation of these zero-day vulnerabilities at the Pwn2Own competition.
4. Google promptly rolled out patches for the zero-days in the Chrome stable channel, with Mozilla also fixing related zero-days in Firefox on the same day they were demoed at Pwn2Own.
5. Manfred Paul emerged as the winner of the Pwn2Own 2024 Vancouver competition, earning $202,500 in cash prizes.
6. The competition concluded on March 22, with security researchers demonstrating a total of 29 zero-day exploits and exploit chains over two days.
If you need further details or analysis on any specific aspect, please let me know.