Security Experts:

Chrome 62 Update Patches Serious Vulnerabilities

The second update released by Google for the Windows, Mac and Linux versions of Chrome 62 patches a couple of vulnerabilities rated critical and high severity.

The critical flaw, tracked as CVE-2017-15398, has been described as a stack-based buffer overflow affecting QUIC, a transport network protocol that reduces latency compared to TCP.

The security hole was reported to Google by Ned Williamson on October 24. The tech giant has yet to determine how much it will pay the researcher for reporting the vulnerability, but it could earn him over $10,000.

Earlier this year, Williamson received more than $20,000 from Google for two high severity Chrome flaws related to the IndexedDB noSQL storage system.

The second vulnerability patched with the latest Chrome 62 update is a high severity use-after-free bug affecting the V8 JavaScript engine. This flaw, tracked as CVE-2017-15399, earned Zhao Qixun of the Chinese security firm Qihoo 360 a bounty of $7,500.

Qixun, known online as S0rryMybad, previously reported a type confusion in V8 that earned him the same amount of money. The researcher pointed out on Monday that Google made the details of that flaw public.

The details of the latest vulnerabilities will only be disclosed several weeks from now, after users have had a chance to update their installations. An alert published on Monday by US-CERT warned that an attacker could exploit the flaws to take control of an affected system.

Released in mid-October, the first stable version of Chrome 62 included patches for no less than 35 vulnerabilities, 20 of which were reported by external researchers, including eight high, seven medium, and five low severity flaws. At the time, Google announced paying over $40,000 in bug bounties to the reporting researchers.

The first Chrome 62 update, released on October 26, resolved a high severity stack-based buffer overflow vulnerability in V8. The security hole earned Yuan Deng of Ant-financial Light-Year Security Lab $3,000.

Related: Google Patches High Risk Flaws in Chrome

Related: Microsoft Discloses Code Execution Flaw in Chrome

Related: Google to Remove Support for PKP in Chrome

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.