Google has released a critical security update for its Chrome browser, patching seven vulnerabilities – including two zero-day flaws actively exploited during the recent Pwn2Own Vancouver 2024 hacking competition.
Security researchers demonstrated these exploits at the event, highlighting the real-world risks to Chrome users.
Zero-day vulnerabilities are security flaws unknown to the software vendor (in this case, Google). This means hackers can actively exploit them before a patch becomes available, making them particularly dangerous.
The first (tracked as CVE-2024-2887) is a high-severity type confusion weakness in the WebAssembly (Wasm) open standard. Manfred Paul demoed this vulnerability on the first day of Pwn2Own as part of a double-tap remote code execution (RCE) exploit using a crafted HTML page and targeting both Chrome and Edge.
The second zero-day is tracked as CVE-2024-2886 and was exploited by KAIST Hacking Lab’s Seunghyun Lee during the second day of the CanSecWest Pwn2Own contest.
Google fixed the two zero-days in the Google Chrome stable channel, version 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 for Linux users, which will roll out worldwide over the coming days.
