Google this week announced the release of Chrome 106 to the stable channel with patches for 20 vulnerabilities, including 16 reported by external researchers.
Of the externally reported security bugs, five are rated ‘high’ severity, eight are ‘medium’ severity, and three are ‘low’ severity.
Half of these vulnerabilities are use-after-free bugs, which could lead to arbitrary code execution, denial of service, or data corruption. If combined with other vulnerabilities, the bugs could be exploited to achieve full system compromise.
In Chrome, use-after-free flaws can often be exploited for sandbox escapes, and Google earlier this month announced improved protections against the exploitation of these security holes.
Of the five high-severity issues that Chrome 106 resolves, four are use-after-free vulnerabilities impacting three browser components, namely CSS, Survey, and Media. The fifth is an insufficient validation of untrusted input in Developer Tools.
The latest browser release also resolves three medium-severity use-after-free vulnerabilities, which impact three other Chrome components: Assistant, Import, and Logging.
The browser update also resolves medium-severity insufficient policy enforcement in Developer Tools and Custom Tabs, insufficient validation of untrusted input in VPN, incorrect security UI in Full Screen, and a type confusion in Blink.
Google says it has paid out a total of over $38,000 in bug bounty rewards to the reporting researchers, but has yet to determine the amount to be handed out for half of the security flaws.
The internet giant makes no mention of any of the resolved vulnerabilities being exploited in attacks.
The latest Chrome iteration is now rolling out to macOS and Linux users as version 106.0.5249.61, and arrives on Windows computers as versions 106.0.5249.61/62.
Related: Google Improves Chrome Protections Against Use-After-Free Bug Exploitation
Related: Google Patches Sixth Chrome Zero-Day of 2022
Related: Chrome 105 Patches Critical, High-Severity Vulnerabilities
More from Ionut Arghire
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
- Dozens of Malicious Extensions Found in Chrome Web Store
Latest News
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
