Google has rushed out another patch for a Chrome zero-day vulnerability, CVE-2024-3159. Google’s updated Chrome (version 123.0.6312.105/.106/.107) addresses security fixes for CVE-2024-3159, along with other high-severity flaws (CVE-2024-3156 and CVE-2024-3158).
As always, updating promptly is your best defense.
CVE-2024-3159 was demonstrated by Palo Alto Networks researchers Edouard Bochin and Tao Yan. These talented folks walked away with a $42,500 and bragging rights for finding how to outright crash Chrome.
Under the Hood of CVE-2024-3159
The vulnerability behind CVE-2024-3159 is an out-of-bounds memory access within the Chrome’s V8 engine. When processing JavaScript code, V8 allocates memory to store variables and other data used during execution. An out-of-bounds memory access breaches this constructed memory landscape, attempting to read or write from unintended locations.
Imagine a well-defined array designed to hold 10 integers. An out-of-bounds access would be like trying to access the 11th element (or worse!), potentially overwriting data in adjacent memory blocks. In CVE-2024-3159, malicious JavaScript code could exploit this vulnerability to:
- Read sensitive data: Attackers could potentially access memory regions containing confidential information like passwords or browsing history.
- Trigger a heap corruption: Heap corruption occurs when invalid memory access disrupts the heap. Then a memory space used for dynamic memory allocation. This can lead to crashes, or even code execution vulnerabilities.
A New Trend for Chrome?
This isn’t the first, and unfortunately, likely won’t be the last zero-day vulnerability uncovered for Chrome thanks to Pwn2Own.
While Google consistently patches flaws, these high-profile contests continually highlight that even widely used software isn’t immune. Perhaps it’s time Google starts offering some pre-emptive bounties to security researchers, it might be cheaper than the post-Pwn2Own panicked rapid development to address security flaws.