Security Experts:

Chrome 79 Patches Critical Vulnerabilities

Google this week released Chrome 79 to the stable channel with a total of 51 security fixes, including 37 reported by external researchers, two of which are considered critical severity.

Of the remaining bugs reported by external researchers, 8 are considered high risk, 18 have a medium severity rating, and 9 are considered low-risk.

The two critical flaws include CVE-2019-13725, a use-after-free in the Bluetooth component reported by Gengming Liu and Jianyu Chen of Tencent Keen Security Lab, and CVE-2019-13726, a heap buffer overflow in password manager, reported by Sergei Glazunov of Google Project Zero.

Google revealed that it paid $20,000 for the use-after-free flaw, but has yet to determine the bug bounty reward for the heap buffer overflow.

The high-risk vulnerabilities addressed in this release include insufficient policy enforcement in WebSockets (CVE-2019-13727), out of bounds write in V8 (CVE-2019-13728 and CVE-2019-13735), use-after-free in WebSockets (CVE-2019-13729), type confusion in V8 (CVE-2019-13730 and CVE-2019-13764), use-after-free in WebAudio (CVE-2019-13732), and out of bounds write in SQLite (CVE-2019-13734).

The medium-severity flaws include an integer overflow in PDFium; insufficient policy enforcement in autocomplete, navigation, Omnibox, cookies, audio, and developer tools; incorrect security UIs in Omnibox, sharing, and external protocol handling; insufficient validation of untrusted input in Blink; uninitialized use in rendering and SQLite; and out of bounds read and insufficient data validation issues in SQLite.

Low-severity flaws patched in Chrome 79 include insufficient policy enforcements in extensions, navigation, downloads, and payments; and incorrect security UIs in printing, interstitials, and Omnibox.

Google has also included in its browser a warning when encountering reused passwords: Chrome will alert users of such passwords when they attempt to log into websites. Previously available through an extension, the feature is now baked into the application.

Overall, Google paid $80,000 in bug bounties to reporting security researchers, but it has yet to disclose the amount paid for 10 of the vulnerabilities, including one critical and four high-severity issues.

The new browser iteration is now available for download as Chrome 79.0.3945.79, for Windows, Mac and Linux.

Related: Chrome 78 Released With DoH, 37 Security Patches

Related: Google Patches 8 Vulnerabilities in Chrome 77

Related: Google Patches More High-Value Chrome Sandbox Escape Vulnerabilities

view counter