Google on Tuesday announced the release of Chrome 116 to the stable channel with patches for 26 vulnerabilities, including 21 reported by external researchers.
Of the externally reported bugs, eight have a severity rating of ‘high’, with most of them being memory safety issues.
Based on the bug bounty reward paid out, the most important of these is CVE-2023-2312, a use-after-free flaw in the Offline component. The reporting researcher was awarded a $30,000 bounty for the finding, Google’s advisory reveals.
Next in line is CVE-2023-4349, a use-after-free issue in Device Trust Connectors, followed by an inappropriate implementation in Fullscreen (CVE-2023-4350), and a use-after-free bug in Network (CVE-2023-4351), for which Google paid out bounties of $5,000, $3,000, and $2,000, respectively.
The remaining four high-severity vulnerabilities that Chrome 116 resolves include a type confusion flaw in the V8 JavaScript engine, a heap buffer overflow bug in ANGLE, another in Skia, and an out-of-bounds memory access issue in the V8 engine.
These issues were reported by researchers at Google Project Zero and Microsoft Vulnerability Research and, per Google’s policy, no bug bounty reward will be issued for them.
All the remaining externally-reported vulnerabilities addressed in Chrome 116 are medium-severity: six inappropriate implementation bugs, three use-after-free issues, two insufficient policy enforcement flaws, one insufficient validation of untrusted input, and one heap buffer overflow vulnerability.
Overall, Google handed out $63,000 in bug bounty rewards to the reporting researchers.
The internet giant makes no mention of any of these vulnerabilities being exploited in attacks.
The latest Chrome iteration is rolling out as version 116.0.5845.96 for Mac and Linux and as versions 116.0.5845.96/.97 for Windows.
Starting with Chrome 116, the internet giant announced last week, patches for the popular browser will be shipped on a weekly basis, to ensure that fixes for newly discovered flaws reach users faster.
Major Chrome iterations will continue to arrive every four weeks, but stable updates, which have been released every two weeks since 2020, will now be more frequent, reducing the patch gap.
“While we can’t fully remove the potential for n-day exploitation, a weekly Chrome security update cadence allows up to ship security fixes 3.5 days sooner on average, greatly reducing the already small window for n-day attackers to develop and use an exploit against potential victims and making their lives much more difficult,” Google said.
Related: Google Awards Over $60,000 for V8 Vulnerabilities Patched With Chrome 115 Update
Related: Chrome 115 Patches 20 Vulnerabilities
Related: Chrome and Its Vulnerabilities – Is the Web Browser Safe to Use?
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
