With the new Chrome versions 123.0.6312.86/87 for Windows and macOS and 123.0.6312.86 for Linux from March 26, 2024, Google is fixing seven vulnerabilities in its browser. Two of the security holes come from the hacking competition Pwn2own. So far, none of the vulnerabilities appear to have been exploited for real attacks. Manufacturers of other Chromium-based browsers will soon follow suit.
Update March 28th: According to Microsoft, the vulnerabilities that have been fixed also include a 0-day vulnerability, i.e. one that is already being used for attacks or for which an exploit (code example for exploitation) is publicly available. Further information on this can be found below.
In the Chrome Release Blog, Srinivas Sista lists four of the seven security holes that were discovered by external security researchers and reported to Google. Google classifies one of these vulnerabilities (CVE-2024-2883) as critical. The use-after-free gap, which was reported to Google at the beginning of March, is in the ANGLE graphics interface and earns its discoverer a $10,000 bonus.
ZDI
Three additional security vulnerabilities are identified as high risk. The use-after-free vulnerability CVE-2024-2885 is in Dawn (WebGPU implementation). The other two vulnerabilities were discovered last week at the Pwn2own hacking competition in Vancouver. Seunghyun Lee exploited CVE-2024-2886, a use-after-free vulnerability in WebCodecs, and won $60,000 for it. On the same day, eventual Pwn2own overall winner Manfred Paul from Bonn contributed CVE-2024-2887, a type mix-up in WebAssembly that won him $42,500 in the competition.
▶The latest security updates
Google does not provide any information about the gaps discovered internally. If you read the two Pwn2own days carefully in the ZDI blog, you will notice that Chrome and Edge were hacked more than twice. So these can’t have been all the security gaps. Google also released Chrome 123.0.6312.80 for Android. The same vulnerabilities have been fixed.
Other Chromium based browsers
The manufacturers of other Chromium-based browsers are now once again required to quickly follow suit with updates. Microsoft Edge and Brave have already made the switch to Chromium 123 and are at the security level before this Chrome update. Microsoft says it is aware of the “exploits existing in the wild” and is “actively” working on an update. Apparently Microsoft considers the Pwn2own vulnerabilities to be 0-day vulnerabilities – or knows of others.
Vivaldi skips Chromium 123 and relies on the previous generation’s Extended Stable Channel. At Opera, version 109 based on Chromium 123 is still in beta testing. The Norwegians are now two updates behind again.
Update March 28th
Vivaldi released an update to browser version 6.6.3271.55 on March 27, which is based on Chromium 122.0.6261.150. Brave has followed suit with an update to version 1.64.113, using Chromium 123.0.6312.86. Opera made the switch to Chromium 123 on the same day with Opera One 109.0.5097.33. However, it still contains the outdated and insecure Chromium version 123.0.6312.46. Google used this in the early stable update of March 13th in Chrome. Only relatively few users received this early version – an early stable update regularly appears almost a week before the general availability of a new major Chrome version.
Addendum: Opera has now released version 109.0.5097.35, which contains Chromium 123.0.6312.59 – That is at least the security status from last week (week 12).
Microsoft: 0-day vulnerability in Chromium browsers
Late on the evening of March 27th (European time), Microsoft published more concrete information about the 0-day gap announced the day before (see above). Accordingly, exploit code for the security vulnerability CVE-2024-2883, which Google has classified as critical, is available in the ANGLE component. When making this statement, Microsoft refers to the Chromium team. This information should also be available to Google, which, however, makes no statement about it in its release blog. So far, Google has always made 0-day gaps in Chrome public as soon as they were closed via an update.
Microsoft is releasing an update to version 123.0.2420.65 for its Edge browser. It is based on Chromium 123.0.6312.87, so it also eliminates all other vulnerabilities mentioned above, including the Pwn2own vulnerabilities.
Chromium-based browsers at a glance:
Browser | version | Chromuim version | secured? |
---|---|---|---|
Google Chrome | 123.0.6312.86 | 123.0.6312.86 | 🟢 |
Brave | 1,64,113 | 123.0.6312.86 | 🟢 |
Microsoft Edge | 123.0.2420.65 | 123.0.6312.87 | 🟢 |
OperaOne | 109.0.5097.35 | 123.0.6312.59 | 🟠 |
Vivaldi | 6.6.3271.55 | 122.0.6261.150 | 🟢 |