Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Critical Vulnerability With Chrome 99 Update

A Chrome 99 update released by Google on Tuesday patches a critical vulnerability discovered by one of the company’s own researchers.

A Chrome 99 update released by Google on Tuesday patches a critical vulnerability discovered by one of the company’s own researchers.

The critical flaw, tracked as CVE-2022-0971, has been described as a use-after-free issue affecting the Blink Layout component. Sergei Glazunov of Google Project Zero has been credited for reporting the flaw.

Google doesn’t often assign a “critical severity” rating to Chrome vulnerabilities. In fact, over the past year, only four other Chrome updates fixed a critical issue. Two of the four critical vulnerabilities were discovered by Glazunov, who has also identified a high-severity bug that was patched this week.

The latest Chrome update includes 11 security fixes, including eight with a “high severity” rating. These flaws, which can typically allow a sandbox escape or remote code execution, are mostly use-after-free issues.

Google has paid out nearly $40,000 to the external researchers who reported the vulnerabilities patched with this Chrome update, but some rewards have yet to be determined.

The internet giant said recently that it paid out nearly $9 million in bug bounties last year, including roughly $3.1 million for Chrome vulnerabilities.

There has been a surge in Chrome vulnerabilities exploited in the wild, with 14 zero-days exploited in 2021, far more than any other popular web browser.

Google last week attempted to explain this trend, naming several factors that have apparently contributed. The list includes more transparency regarding active exploitation, increased complexity of the browser, the need to chain multiple flaws for a useful exploit, and attackers increasingly targeting the browser itself following the death of Flash, their former favorite target.

Advertisement. Scroll to continue reading.

Related: Google Discovers Attack Exploiting Chrome Zero-Day Vulnerability

Related: Chrome 95 Update Patches Exploited Zero-Days, Flaws Disclosed at Tianfu Cup

Related: Google Paid Out Over $100,000 for Vulnerabilities Patched by Chrome 99

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.