Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 62 Update Patches Serious Vulnerabilities

The second update released by Google for the Windows, Mac and Linux versions of Chrome 62 patches a couple of vulnerabilities rated critical and high severity.

The critical flaw, tracked as CVE-2017-15398, has been described as a stack-based buffer overflow affecting QUIC, a transport network protocol that reduces latency compared to TCP.

The second update released by Google for the Windows, Mac and Linux versions of Chrome 62 patches a couple of vulnerabilities rated critical and high severity.

The critical flaw, tracked as CVE-2017-15398, has been described as a stack-based buffer overflow affecting QUIC, a transport network protocol that reduces latency compared to TCP.

The security hole was reported to Google by Ned Williamson on October 24. The tech giant has yet to determine how much it will pay the researcher for reporting the vulnerability, but it could earn him over $10,000.

Earlier this year, Williamson received more than $20,000 from Google for two high severity Chrome flaws related to the IndexedDB noSQL storage system.

The second vulnerability patched with the latest Chrome 62 update is a high severity use-after-free bug affecting the V8 JavaScript engine. This flaw, tracked as CVE-2017-15399, earned Zhao Qixun of the Chinese security firm Qihoo 360 a bounty of $7,500.

Qixun, known online as S0rryMybad, previously reported a type confusion in V8 that earned him the same amount of money. The researcher pointed out on Monday that Google made the details of that flaw public.

The details of the latest vulnerabilities will only be disclosed several weeks from now, after users have had a chance to update their installations. An alert published on Monday by US-CERT warned that an attacker could exploit the flaws to take control of an affected system.

Released in mid-October, the first stable version of Chrome 62 included patches for no less than 35 vulnerabilities, 20 of which were reported by external researchers, including eight high, seven medium, and five low severity flaws. At the time, Google announced paying over $40,000 in bug bounties to the reporting researchers.

Advertisement. Scroll to continue reading.

The first Chrome 62 update, released on October 26, resolved a high severity stack-based buffer overflow vulnerability in V8. The security hole earned Yuan Deng of Ant-financial Light-Year Security Lab $3,000.

Related: Google Patches High Risk Flaws in Chrome

Related: Microsoft Discloses Code Execution Flaw in Chrome

Related: Google to Remove Support for PKP in Chrome

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.