Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Awards $42,000 for Two Serious Chrome Vulnerabilities

Google on Monday announced that a security update released for the Chrome web browser patches several high-severity vulnerabilities.

Google on Monday announced that a security update released for the Chrome web browser patches several high-severity vulnerabilities.

Arriving on Windows, Mac, and Linux computers as Chrome 92.0.4515.159, the latest browser iteration packs a total of 9 security fixes, including 7 for bugs identified by external security researchers.

The most severe of these are CVE-2021-30598 and CVE-2021-30599, two type confusion issues in the V8 JavaScript engine that were identified and reported in July by Manfred Paul. Google paid the researcher $21,000 for each of these security flaws.

The researcher told SecurityWeek that type confusion bugs can typically be exploited by luring the targeted user to a malicious website, and they allow the attacker to achieve arbitrary code execution in the renderer process. However, he noted that a separate vulnerability is needed to escape the Chrome sandbox.

Researchers have found plenty of Chrome sandbox escape vulnerabilities in the past few years, and Google typically awards significant bug bounties for these types of flaws.

The Internet search giant also patched a use-after-free bug in Printing (CVE-2021-30600, reported by Leecraso and Guang Gong of 360 Alpha Lab) and another in Extensions API (CVE-2021-30601, reported by koocola and Nan Wang of 360 Alpha Lab).

The company paid $20,000 in bug bounties for each of these issues.

Google has yet to reveal the bounty amount for two other use-after-free vulnerabilities – one in WebRTC (CVE-2021-30602) and another in ANGLE (CVE-2021-30604). In addition, a high-severity race condition in WebAudio (CVE-2021-30603) was reported by a Google researcher.

This year, Google patched more than half a dozen actively exploited zero-day vulnerabilities in Chrome, along with security flaws that could be exploited through malicious extensions, but also announced a series of overall security and privacy improvements in the browser.

*additional reporting by Eduard Kovacs

Related: Google Adds HTTPS-First Mode to Chrome

Related: Google: New Chrome Zero-Day Being Exploited

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.