Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 124, Firefox 125 Patch High-Severity Vulnerabilities

Chrome and Firefox security updates resolve over 35 vulnerabilities, including a dozen high-severity bugs.

Google and Mozilla on Tuesday announced security updates that address more than 35 vulnerabilities in their browsers, including a dozen high-severity flaws.

Chrome 124 was released in the stable channel with patches for 22 bugs, 13 of which were reported by external researchers.

Of the externally reported flaws, three are high-severity issues. Based on the bug bounty reward handed out, the most severe of these is CVE-2024-3832, described as an object corruption defect in the V8 JavaScript engine.

Google credited Man Yue Mo of GitHub Security Lab for reporting the vulnerability and says it paid out a $20,000 reward for it.

The researcher also reported CVE-2024-3833, a high-severity object corruption issue in WebAssembly, for which Google handed out a $10,000 reward.

The third high-severity flaw reported by an external researcher is CVE-2024-3834, a use-after-free defect in Downloads. Google says it handed out a $3,000 bug bounty reward for this report.

This Chrome update also resolves six medium-severity and four low-severity issues reported by outside researchers.

The internet giant says it paid out a total of $65,000 in bug bounty rewards for these flaws. However, the final amount might be higher, as Google has yet to determine the amount to be handed out for two of the bugs.

Advertisement. Scroll to continue reading.

The latest Chrome iteration is now rolling out as version 124.0.6367.60/.61 for Windows and macOS and as version 124.0.6367.60 for Linux.

Firefox 125 was released with patches for 15 vulnerabilities, including nine high-severity bugs, some of which could allow attackers to execute arbitrary code.

Five of the high-severity issues impact the JIT component, which, under certain conditions, could return the wrong object, generate code with out-of-bounds-reads, create incorrect code for arguments, or crash while tracing a mutated JavaScript object.

Two of the remaining high-severity bugs are related to garbage collection, while the other two are memory safety bugs that, with enough effort from attackers, “could have been exploited to run arbitrary code”.

The Firefox update also resolves five medium-severity security defects and a low-severity one. The former, tracked as CVE-2024-3302, could lead to denial-of-service (DoS) using HTTP/2 CONTINUATION frames, using a new attack method called HTTP/2 Continuation Flood.

On Tuesday, Mozilla also announced the release of Firefox ESR 115.10, which resolves nine of the vulnerabilities addressed in Firefox 125.

Related: Google Pays Out $41,000 for Three Serious Chrome Vulnerabilities

Related: Chrome 123, Firefox 124 Patch Serious Vulnerabilities

Related: Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights