Google on Monday announced that a security update released for the Chrome web browser patches several high-severity vulnerabilities.
Arriving on Windows, Mac, and Linux computers as Chrome 92.0.4515.159, the latest browser iteration packs a total of 9 security fixes, including 7 for bugs identified by external security researchers.
The researcher told SecurityWeek that type confusion bugs can typically be exploited by luring the targeted user to a malicious website, and they allow the attacker to achieve arbitrary code execution in the renderer process. However, he noted that a separate vulnerability is needed to escape the Chrome sandbox.
The Internet search giant also patched a use-after-free bug in Printing (CVE-2021-30600, reported by Leecraso and Guang Gong of 360 Alpha Lab) and another in Extensions API (CVE-2021-30601, reported by koocola and Nan Wang of 360 Alpha Lab).
The company paid $20,000 in bug bounties for each of these issues.
Google has yet to reveal the bounty amount for two other use-after-free vulnerabilities – one in WebRTC (CVE-2021-30602) and another in ANGLE (CVE-2021-30604). In addition, a high-severity race condition in WebAudio (CVE-2021-30603) was reported by a Google researcher.
This year, Google patched more than half a dozen actively exploited zero-day vulnerabilities in Chrome, along with security flaws that could be exploited through malicious extensions, but also announced a series of overall security and privacy improvements in the browser.
*additional reporting by Eduard Kovacs