TRY NOW

Vulnerability

Google Fixes 2 High-Severity Vulnerabilities in Chrome 123 Exploited at Pwn2Own

2 min. read
28/03/2024
By Laura Libeer
Google Chrome Vulnerability

 TL;DR | Go Straight to the Google Chrome 123 Vulnerability Audit Report

On March 26th, Google released security updates for Chrome 123 for Windows, Linux, and Mac in response to 7 vulnerabilities some of which are critical or high severity. When successfully exploited the issues can lead to remote code execution, which could in turn compromise sensitive data and disrupt services. We have added a new report to Lansweeper to help you locate vulnerable Chrome installations.

Google Chrome 123 Vulnerabilities

In total, this security update addresses 7 vulnerabilities in Chrome. 2 of these vulnerabilities were successfully exploited at the Pwn2Own Vancouver 2024 hacking competition.

  • CVE-2024-2886 is a high-severity use after free weakness in WebCodecs that allows attackers to perform arbitrary reads/writes via crafted HTML pages.
  • CVE-2024-2887 is a high-severity type confusion weakness in WebAssembly that was used in a double-tap remote code execution exploit using a crafted HTML page and targeting both Chrome and Edge.

You can find more information about these and other vulnerabilities on Chrome’s release page.

Update Vulnerable Chrome Installations

The Zero Day Initiative gives publishers 90 days to patch their security flaws demoed at Pwn2Own before they publicly disclose the bug details. Google only took 5 days to release their security update. Still, it is advisable to update your Chrome installations to the fixed version (123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 for Linux) as soon as possible to protect your network against possible attacks.

As always, Google is holding off on releasing further bug details until a majority of users has had a chance to update their installations. That way malicious actors won’t be able to leverage the additional information for further attacks.

Remember to Update Microsoft Edge

Since Microsoft Edge is also a Chromium-based browser, we can expect an Edge security update soon to respond to the same vulnerabilities. You can always check what version your instances of Edge are on using our Edge Version Audit Report. This report will give you an overview of all instances of Microsoft Edge in your environment along with their version number.

Discover Vulnerable Chrome Installs

We have added an updated audit report to your Lansweeper installations to help you locate any vulnerable instances of Google Chrome in your network. This report will give you an actionable list of installations that haven’t been updated to the fixed version yet. You can get the report via the link below.

Google Chrome 123 Vulnerability Audit Report
NO CREDIT CARD REQUIRED

Ready to get started?
You’ll be up and running in no time.

Explore all our features, free for 14 days.