Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 105 Patches Critical, High-Severity Vulnerabilities

Google this week announced the first stable release of Chrome 105, which comes with patches for 24 vulnerabilities, including 13 use-after-free and heap buffer overflow bugs.

Twenty-one of the resolved security defects were reported by external researchers, including one critical-, eight high-, nine medium-, and three low-severity vulnerabilities.

Google this week announced the first stable release of Chrome 105, which comes with patches for 24 vulnerabilities, including 13 use-after-free and heap buffer overflow bugs.

Twenty-one of the resolved security defects were reported by external researchers, including one critical-, eight high-, nine medium-, and three low-severity vulnerabilities.

A total of nine use-after-free issues were resolved with the latest browser update, the most important of which is a critical flaw in the Network Service component, reported by Google Project Zero researcher Sergei Glazunov, the company notes in an advisory.

Chrome 105 also patches five high-severity use-after-free vulnerabilities, impacting browser components such as WebSQL, Layout, PhoneHub, and Browser Tag.

Google says it handed out between $5,000 and $10,000 for four of the issues, but has yet to determine the amount to be paid for the fifth.

Other high-severity bugs the latest Chrome update resolves include a heap buffer overflow in Screen Capture, an inappropriate implementation in Site Isolation, and an insufficient validation of untrusted input in V8.

Three of the medium-severity flaws that Chrome 105 patches are heap buffer overflow bugs, two are use-after-free issues, two insufficient policy enforcements, and two inappropriate implementations.

Google says it has paid more than $60,000 in bug bounty rewards to the reporting researchers, but the internet giant has yet to determine the amount to be paid for five of the bugs and the total amount could be higher.

The latest browser iteration is now rolling out to Mac and Linux users as Chrome 105.0.5195.52 and to Windows users as Chrome 105.0.5195.52/53/54.

Google made no mention of any of these vulnerabilities being exploited in malicious attacks.

So far this year, there have been five documented Chrome zero-day vulnerabilities exploited in attacks. The most recent of them was addressed roughly two weeks ago.

Related: Google Paid Out $90,000 for Vulnerabilities Patched by Chrome 104

Related: Chrome 103 Update Patches High-Severity Vulnerabilities

Related: Emergency Chrome 103 Update Patches Actively Exploited Vulnerability

Related: Google Patches Third Actively Exploited Chrome Zero-Day of 2022

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet