Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches High Risk Flaws in Chrome

Google this week released an updated version of Chrome 61 to address two High severity vulnerabilities.

Available for download as version 61.0.3163.100, the new Chrome iteration was pushed to all Windows, Mac, and Linux users, and should reach all in the next several days/weeks.

Google this week released an updated version of Chrome 61 to address two High severity vulnerabilities.

Available for download as version 61.0.3163.100, the new Chrome iteration was pushed to all Windows, Mac, and Linux users, and should reach all in the next several days/weeks.

The updated browser includes fixes for 3 security issues, two of which were discovered by external researchers. Two of the three security flaws were assessed with a High risk severity rating.

The first is an Out-of-bounds access in V8. Tracked as CVE-2017-5121, the flaw was discovered by Jordan Rabet, Microsoft Offensive Security Research and Microsoft ChakraCore team on 2017-09-14, and was awarded a $7,500 bounty reward, Krishna Govind, Google Chrome, notes in a blog post.

Tracked as CVE-2017-5122, the second High risk flaw Google has addressed with the latest Chrome release is an Out-of-bounds access in V8 as well. Reported by Choongwoo Han of Naver Corporation on 2017-08-04, the vulnerability was awarded a $3,000 bounty.

To date, Google has addressed 25 vulnerabilities with various Chrome 61 releases, including 12 issues reported by external researchers. 8 of these security bugs were assessed High severity.

These include vulnerabilities such as use after free in PDFium, heap buffer overflow bugs in WebGL and Skia, a memory lifecycle issue in PDFium, and type confusion flaws in V8, in addition to the aforementioned out-of-bounds access issues in V8.

Issues of lower severity included a couple of use of uninitialized value bugs in Skia, a bypass of Content Security Policy in Blink, and a potential HTTPS downgrade during redirect navigation.

Advertisement. Scroll to continue reading.

Google paid over $30,000 in bug bounty rewards to the external security researchers who reported these issues. The highest reward was $7,500, but three researchers received $5,000 each for their submissions.

Related: Fake Chrome Font Update Attack Distributes Backdoor

Related: One Million Exposed to Adware via Hijacked Chrome Extension

Related: Chrome 59 Patches 30 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.