Chrome zero day

Google has fixed another zero-day vulnerability in the Chrome browser, which was exploited by security researchers during the Pwn2Own hacking contest last month.Tracked as CVE-2024-3159, this high-severity security flaw is caused by an out-of-bounds read weakness in the Chrome V8 JavaScript engine.Remote attackers can exploit the vulnerability using crafted HTML pages to gain access to data beyond the memory buffer via heap corruption, which can provide them with sensitive information or trigger a crash.Palo Alto Networks security researchers Edouard Bochin and Tao Yan demoed the zero-day on the second day of Pwn2Own Vancouver 2024 to defeat V8 hardening.Their double-tap exploit allowed them to execute arbitrary code on Google Chrome and Microsoft Edge, earning them a $42,500 award.Google has now fixed the zero-day in the Google Chrome stable channel version 123.0.6312.105/.106/.107 (Windows and Mac) and 123.0.6312.105 (Linux), which will roll out worldwide over the coming days.​One week ago, Google fixed two more Chrome zero-days exploited at Pwn2Own Vancouver 2024. The first, a high-severity type confusion weakness (CVE-2024-2887) in the WebAssembly (Wasm) open standard, was targeted by Manfred Paul's double-tap RCE exploit that targeted both Chrome and Edge.The second, a use-after-free (UAF) weakness in the WebCodecs API (CVE-2024-2886), was also exploited by KAIST Hacking Lab's Seunghyun Lee to gain remote code execution on both Chromium web browsers.Mozilla also patched two Firefox zero-days exploited by Manfred Paul at this year's Pwn2Own Vancouver competition on the same day the bugs were exploited.While both Google and Mozilla released security patches within a week, vendors usually take their time to fix Pwn2Own zero-days since Trend Micro's Zero Day Initiative publicly discloses bug details after 90 days.In total, Google patched four Chrome zero-days this year, with the fourth addressed in January as an actively exploited zero-day (CVE-2024-0519) that enabled attackers to crash unpatched browsers or access sensitive information due to an out-of-bounds memory access weakness in the V8 JavaScript engine.On Tuesday, the company also fixed two Android zero-days exploited by forensic firms to unlock Pixel phones without a PIN and gain access to the data stored within them.

Google Responds to Chrome Zero-Day Vulnerability CVE-2023-4863, Credits Apple and Citizen Lab for DiscoveryIn a swift action that underscores the perpetual arms race against cyber threats, Google recently launched a crucial update for its Chrome browser, patching the Chrome Zero-Day Vulnerability CVE-2023-4863. This marked the fourth zero-day vulnerability in Chrome that has been addressed this year.What is Chrome Zero-Day Vulnerability CVE-2023-4863?Chrome Zero-Day Vulnerability CVE-2023-4863 is a high-risk, heap buffer overflow issue affecting the WebP component of the browser. WebP is an advanced image format offering enhanced compression and quality, overshadowing its predecessors, JPEG and PNG. Almost all contemporary browsers, like Firefox, Safari, Edge, and Opera, support this image format.For those unfamiliar with the term, a “heap buffer overflow” occurs when an application tries to store more data in a heap-allocated memory buffer than it can actually hold. This can lead to application crashes and possibly open the door for hackers to execute arbitrary code on the victim's system.Google's advisory points out that they are aware that an exploit exists for this vulnerability “in the wild,” making it imperative for users to update their browsers immediately.For a more technical explanation of heap buffer overflow issues, check out this guide.Who Discovered the Vulnerability?The discovery of Chrome Zero-Day Vulnerability CVE-2023-4863 was credited to Apple's Security Engineering and Architecture (SEAR) and Citizen Lab at The University of Toronto’s Munk School. Citizen Lab frequently exposes commercial spyware activities, which leads to the speculation that this vulnerability might have been exploited by one such spyware vendor.

Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, with one zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.Google Chrome 91.0.4472.101 has started rolling out worldwide and will become available to all users over the next few days.Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > 'About Google ChromeGoogle updated to version 91.0.4472.10Six Chrome zero-days exploited in the wild in 2021Few details regarding today's fixed zero-day vulnerability are currently available other than that it is a type confusion bug in V8, Google's open-source and C++ WebAssembly and JavaScript engine.The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.Google states that they are "aware that an exploit for CVE-2021-30551 exists in the wild."Shane Huntley, Director of Google's Threat Analysis Group, says that this zero-day was utilized by the same threat actors using the Windows CVE-2021-33742 zero-day fixed yesterday by Microsoft.Chrome in-the-wild vulnerability CVE-2021-30551 patched today was also from the same actor and targeting.Thanks to Chrome team for also patching within 7 days. Shane Huntley (@ShaneHuntley) June 9, 2021Today's update fixes Google Chrome's sixth zero-day exploited in attacks this year, with the other five listed below:CVE-2021-21148 - February 4th, 2021 CVE-2021-21166 - March 2nd, 2021 CVE-2021-21193 - March 12th, 2021 CVE-2021-21220 - April 13th, 2021 CVE-2021-21224 - April 20th, 2021 In addition to these vulnerabilities, news broke yesterday of a threat actor group known as Puzzlemaker that is chaining together Google Chrome zero-day bugs to escape the browser's sandbox and install malware in Windows."Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server," the researchers said.Microsoft fixed the Windows vulnerabilities yesterday as part of the June 2021 Patch Tuesday, but Kaspersky could not determine what Google Chrome vulnerabilities were used in the Puzzlemaker attacks.Kaspersky believes the attackers may have been using the

Of zero-day vulnerabilities underscores the ever-evolving threat landscape and the necessity for timely updates and patches.For a detailed timeline of zero-day vulnerabilities, you can visit this resource.ConclusionChrome Zero-Day Vulnerability CVE-2023-4863 is a glaring example of the constant cat-and-mouse game between cybersecurity experts and cybercriminals. As users, the best defense against such threats is to keep software and applications up-to-date. Always be wary of advisories from reputable sources and act upon them promptly to keep your digital environment secure.For more tips on securing your online browsing experience, check out this guide.By being proactive in our approach to cybersecurity, we can make it increasingly challenging for cybercriminals to exploit vulnerabilities, thereby contributing to a safer online community for everyone.FAQWhat is Chrome Zero-Day Vulnerability CVE-2023-4863?This is a critical severity vulnerability identified in Google Chrome, specifically a heap buffer overflow issue in the WebP component. Google has released an emergency security update to address this vulnerability.Who discovered this vulnerability?The vulnerability was reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto's Munk School.Why is this vulnerability considered ‘critical'?Heap buffer overflow issues can allow attackers to crash an application and potentially execute arbitrary code, thus severely compromising user security.How many zero-day vulnerabilities have been found in Chrome this year?CVE-2023-4863 is the fourth zero-day vulnerability that Google has patched in Chrome in the year 2023.What is WebP?WebP is an image format that offers better compression and quality compared to JPEG and PNG formats. It's supported by all modern browsers,