Security Experts:

Connect with us

Hi, what are you looking for?



Chrome 77 Released with 52 Security Fixes

Google this week released Chrome 77 in the stable channel with various fixes and improvements, including 52 security patches.

Google this week released Chrome 77 in the stable channel with various fixes and improvements, including 52 security patches.

Thirty-six of all security fixes are for vulnerabilities reported by external researchers. These include one Critical bug, eight High severity issues, 17 Medium risk flaws, and 10 Low severity vulnerabilities.

The most important of the patches addresses a Critical use-after-free vulnerability in the media component. Tracked as CVE-2019-5870, the bug was reported by Guang Gong of the Alpha Team at Qihoo 360 on August 29. Google has yet to reveal information on the reward paid for the finding.

The first of the High severity bugs patched in Chrome 77 is a heap overflow in Skia (CVE-2019-5871), for which Google paid a $7,500 reward to the reporting researcher.

Google also addressed a use-after-free in Mojo (CVE-2019-5872), URL bar spoofing on iOS (CVE-2019-5873), and an issue with external URIs triggering other browsers (CVE-2019-5874), and awarded $3,000 in bug bounties for each of them.

Another High risk issue was a URL bar spoof via download redirect (CVE-2019-5875), for which Google paid a $2,000 bounty.

The Internet giant has yet to provide information on the bounty rewards paid for the last three High severity vulnerabilities reported by external researchers. These include use-after-free in media (CVE-2019-5876), out-of-bounds access in V8 (CVE-2019-5877), and use-after-free in V8 (CVE-2019-5878).

Medium severity bugs addressed with this release include extensions being able to bypass same origin policy, SameSite cookie bypass, arbitrary read in SwiftShader, URL spoof, full screen notification overlap, full screen notification spoof, CSP bypass, IDN spoof, and CSRF bypass.

Other Medium risk issues include multiple file download protection bypass issues, a side channel using storage size estimate, URI bar spoof when using external app URIs, global window leak via console, HTTP authentication spoof, V8 memory corruption in regex, dialog box failing to show origin, and cross-origin information leak using devtools.

The Low severity bugs fixed in Chrome 77 have been described as IDN spoofing, extensions being disabled by trailing slash, Google URI shown for certificate warning, Chrome web store origin requiring isolation, download dialog spoofing, user gesture needed for printing, IP address spoofing to servers, bypass on download restrictions, site isolation bypass, and exceptions leaked by devtools.

To date, Google paid a total of over $33,000 in bug bounties to the researchers who reported the bugs addressed in Chrome 77. However, the search giant has yet to provide information on the rewards paid for over a dozen vulnerabilities.

The latest Chrome iteration is available for download for Windows, Mac and Linux as version 77.0.3865.75.

Related: Chrome 76 Patches 43 Vulnerabilities

Related: Chrome OS 75 Adds More Mitigations for Intel MDS Flaws

Related: Google Boosts Chrome Protection Against Deceptive Sites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet