Security Experts:

Chrome 74 Patches 39 Vulnerabilities

Google this week released Chrome 74 to the stable channel with patches for 39 vulnerabilities, as well as with several other tweaks inside.

Of the 39 security fixes included in the new browser iteration, 19 were for vulnerabilities reported by external researchers. These include 5 High severity flaws, 12 Medium risk bugs, and 2 Low severity issues.

The High risk vulnerabilities addressed in Chrome 74 include a use-after-free in PDFium (CVE-2019-5805), an integer overflow in Angle (CVE-2019-5806), a memory corruption in V8 (CVE-2019-5807), and two use-after-free bugs in Blink (CVE-2019-5808 and CVE-2019-5809).

The reporters of the first four vulnerabilities received $3,000 each in bug bounty rewards. Google has yet to disclose whether it paid any reward for the fifth flaw.

The Medium severity issues include a user information disclosure flaw in Autofill (CVE-2019-5810), a CORS bypass in Blink (CVE-2019-5811), URL spoofing in Omnibox on iOS (CVE-2019-5812), and an out-of-bounds read bug in V8 (CVE-2019-5813). These vulnerabilities brought their reporters $2,000 (the first of them received an extra $1,337).

Other issues Google addressed include a heap buffer overflow in Blink (CVE-2019-5815), a CORS bypass in Blink (CVE-2019-5814), exploit persistence extension on Android (CVE-2019-5816), and a heap buffer overflow in Angle on Windows (CVE-2019-5817), and the company paid $1,000 for every one of them.

The reporter of an uninitialized value issue in the media reader component (CVE-2019-5818) received $500, but those reporting an incorrect escaping bug in developer tools (CVE-2019-5819), and integer overflows in PDFium (CVE-2019-5820 and CVE-2019-5821) received no reward.

The two Low risk bugs patched in this Chrome release are CVE-2019-5822 (CORS bypass in download manager), and CVE-2019-5823 (forced navigation from service worker). Google paid $500 in bug bounties for each of these vulnerabilities.

The latest browser release is now available for Windows, Mac and Linux as Chrome 74.0.3729.108.

In addition to these security fixes, the application includes various other improvements and user experience enhancements, such as a dark mode for Windows 10 users, which can be enabled either by adding --force-dark-mode at the end of the shortcut used to launch the browser, or by switching the operating system’s skin to the Dark setting.

Related: Google Patches Actively Exploited Chrome Vulnerability

Related: Chrome Zero-Day Exploited to Harvest User Data via PDF Files

view counter