Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 79 Patches Critical Vulnerabilities

Google this week released Chrome 79 to the stable channel with a total of 51 security fixes, including 37 reported by external researchers, two of which are considered critical severity.

Google this week released Chrome 79 to the stable channel with a total of 51 security fixes, including 37 reported by external researchers, two of which are considered critical severity.

Of the remaining bugs reported by external researchers, 8 are considered high risk, 18 have a medium severity rating, and 9 are considered low-risk.

The two critical flaws include CVE-2019-13725, a use-after-free in the Bluetooth component reported by Gengming Liu and Jianyu Chen of Tencent Keen Security Lab, and CVE-2019-13726, a heap buffer overflow in password manager, reported by Sergei Glazunov of Google Project Zero.

Google revealed that it paid $20,000 for the use-after-free flaw, but has yet to determine the bug bounty reward for the heap buffer overflow.

The high-risk vulnerabilities addressed in this release include insufficient policy enforcement in WebSockets (CVE-2019-13727), out of bounds write in V8 (CVE-2019-13728 and CVE-2019-13735), use-after-free in WebSockets (CVE-2019-13729), type confusion in V8 (CVE-2019-13730 and CVE-2019-13764), use-after-free in WebAudio (CVE-2019-13732), and out of bounds write in SQLite (CVE-2019-13734).

The medium-severity flaws include an integer overflow in PDFium; insufficient policy enforcement in autocomplete, navigation, Omnibox, cookies, audio, and developer tools; incorrect security UIs in Omnibox, sharing, and external protocol handling; insufficient validation of untrusted input in Blink; uninitialized use in rendering and SQLite; and out of bounds read and insufficient data validation issues in SQLite.

Low-severity flaws patched in Chrome 79 include insufficient policy enforcements in extensions, navigation, downloads, and payments; and incorrect security UIs in printing, interstitials, and Omnibox.

Google has also included in its browser a warning when encountering reused passwords: Chrome will alert users of such passwords when they attempt to log into websites. Previously available through an extension, the feature is now baked into the application.

Overall, Google paid $80,000 in bug bounties to reporting security researchers, but it has yet to disclose the amount paid for 10 of the vulnerabilities, including one critical and four high-severity issues.

The new browser iteration is now available for download as Chrome 79.0.3945.79, for Windows, Mac and Linux.

Related: Chrome 78 Released With DoH, 37 Security Patches

Related: Google Patches 8 Vulnerabilities in Chrome 77

Related: Google Patches More High-Value Chrome Sandbox Escape Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.