Google this week announced that an update for Chrome 84 includes 15 security patches, including for a serious vulnerability for which the tech giant awarded a $10,000 bug bounty.
This vulnerability is CVE-2020-6542, a high-severity use-after-free bug in ANGLE (Almost Native Graphics Layer Engine), the Chrome component responsible for translating OpenGL ES API calls to hardware-supported APIs available for the operating system (such as Vulkan, OpenGL, and Direct3D).
Discovered by Piotr Bania of Cisco Talos, the remote code execution vulnerability is easy to exploit, as the attacker only needs to set up a website containing malicious code that would be triggered upon user visit.
“The attack can be embedded in a webpage. An attacker simply needs the ability to embed the code into a site either under their control or via something like an online advertisement. No further interaction is required,” the security researcher told SecurityWeek.
Bania also explains that one of the conditions that has to be met for successful exploitation is for ANGLE to be supported and enabled, which it is by default. The victim then has to visit the page hosting the malicious HTML code using the Chrome browser.
Google awarded the security researcher a $10,000 bug bounty reward for reporting this vulnerability.
The new browser iteration also patches use-after-free vulnerabilities in task scheduling (CVE-2020-6543), media (CVE-2020-6544), and audio (CVE-2020-6545) components, which were awarded $7,500, $7,500, and $5,000 rewards, respectively.
Three other high-severity use-after-free vulnerabilities that were patched in the new browser release either remain without a monetary reward because they were reported by Google researchers (CVE-2020-6549 – impacts media, CVE-2020-6550 – affects IndexedDB, CVE-2020-6551 – affects WebXR), or haven’t had a bug bounty set (CVE-2020-6552 – impacts Blink, and CVE-2020-6553 – affects offline mode).
The remaining high-risk bugs patched in Chrome 84 include CVE-2020-6546 (inappropriate implementation in installer), CVE-2020-6547 (incorrect security UI in media), and CVE-2020-6548 (heap buffer overflow in Skia). Google has yet to provide information on the bug bounties paid to the reporting researchers.
Google also fixed two medium-severity flaws reported by external researchers, namely CVE-2020-6554, a use-after-free in extensions, and CVE-2020-6555, an out-of-bounds read in WebGL, and paid $5,000 and $1,000 in bug bounties for them.
The latest Chrome release, available as version 84.0.4147.125, is already rolling out to Windows, Mac, and Linux users.