Another Google Chrome 0-day vulnerability fixed: update asap
Google released a security update for its Chrome web browser to address another 0-day security vulnerability. This is the second 0-day vulnerability that Google fixed in Chrome in recent time and the third security update since the release of Chrome 123 on March 20, 2024.
Chrome users may want to update the browser immediately to protect it against potential attacks.
Load chrome://settings/help on the desktop to find out if Chrome is up to date. Chrome is up to date if you see one of the following versions: 123.0.6312.105, 123.0.6312.106, or 123.0.6312.107.
The browser should pick up the newest security update if an older version is installed. Note that this works only on desktop systems. Chrome for Android updates are managed by Google Play.
0-day JavaScript vulnerability
The vulnerability was shown to the public during the Pwn2Own hacking contest in March 2024 for the first time. Demoed by security researchers Edouard Bochin and Tao Yan, the researchers managed to exploit Chrome and also Microsoft Edge during the competition using the exploit.
This earned them $42500 in price money during the competition. According to the official announcement, the exploit used an out of bounds read "plus a novel technique" to defeat V8 hardening and execute arbitrary code in the renderer.
Other Chromium-based web browsers are also affected by the issue, as it affects a shared component. Some of the browsers may have been updated already as a reaction to the reported security issue.
Closing Words
The Pwn2Own competition is notorious for finding and exploiting vulnerabilities in all kinds of products. Browsers have been a high priority target ever since the hacking competition opened its doors.
Browsers are a lucrative target as successful exploits open up lots of opportunities. This ranges from data extractions and manipulations of content in browsers to cookie or password stealing.
Mozilla and Microsoft addressed 0-day vulnerabilities in Firefox and Edge as well, as the browsers were also exploited during the competition.
Google announced a new project this week in an attempt to prevent cookie stealing. The company hopes that this project will become a new web standard. At its core, it is binding cookies to the system they were created on.
Do you keep your browsers up to date?
google is as bad as Avast has been fined by the FTC for using its privacy software to harvest and sell user data
@John Smith
Hi Ballmer, is that you? <3
"Screw Google’s anti-consumer, anti-privacy, biased ecosystem and Manifest v3."
Aww, but you just loooove M$ don't you? I bet you use Winblows, too, if not outright paid to post such dribble.
@Andy Prough
I personally take a shot of whiskey every time M$ patches dozens of remotely exploitable “bugs” to admin/root.
I’m not at all concerned, though, I have 9 livers, 8 implanted just i case before I started reading as far back as 3.11.
You’re going to need a few more spare livers. I’d go with about 12 if you can fit them in there.
I like when a bug is fixed and the security is enhanced- Thanks for the article! :]
So this vulnerability was Chromium? because Chrome is Chromium, but Chromium is not Chrome. Chrome is close source and Chromium is the open source anyone can use to develop their browser.
So, saying ‘Chrome’ is not wrong, but not entirely correct especially since it affects other Chromium base browsers.
It’s been almost 24 hours since Brave got 123.0.6312.105, so most people should already have this unless they blocked automatic updates with a firewall or something.
Funny is how Nightly got this like 15 hours ago, way after stable users, not like it matters but I just found it interesting I saw the build with 105 way after the announcement in reddit for the stable one.
BTW, on Nightly, Brave already offers Split View for people who use Nightly builds but never check new flags and features being added. You enable the flag and then you use tabs context menu to use it. WIP and early stages but it works okay even if it is still limited has some bugs.
Another day, another $42,500 in prize money for pwning Chrome/chromium. It’s like taking candy from a baby.
Update to a different browser. Screw Google’s anti-consumer, anti-privacy, biased ecosystem and Manifest v3.