Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Six Vulnerabilities With First Chrome Update of 2024

Google has released a Chrome 120 update to resolve six vulnerabilities, including four reported by external researchers.

Google on Wednesday announced the first Chrome security update of 2024, which resolves six vulnerabilities, including four reported by external researchers.

All the four externally reported security defects are high-severity memory safety flaws, but bug bounty rewards were handed out only for three of them, Google notes in its advisory.

The first two bugs, tracked as CVE-2024-0222 and CVE-2024-0223, are use-after-free and heap buffer overflow vulnerabilities in the graphics rendering engine ANGLE.

Both issues were reported by Qrious Secure researchers, who received $15,000 bug bounty rewards for each of them.

The third bug, CVE-2024-0224, is a use-after-free defect in Chrome’s WebAudio component. Google says it handed out a $10,000 bug bounty for this flaw to the Ant Group Light-Year Security Lab researcher who reported it.

The latest Chrome update also resolves a use-after-free vulnerability in WebGPU. The bug is tracked as CVE-2024-0225 and Google has yet to disclose the bug bounty amount to be paid to the reporting researcher.

Use-after-free issues occur when the pointer is not cleared when freeing memory allocation and typically lead to arbitrary code execution, data corruption, or denial-of-service.

In Chrome, use-after-free bugs can be exploited to escape the browser’s sandbox, if the attacker targets a flaw in the underlying operating system or in a privileged process.

Advertisement. Scroll to continue reading.

Google has been long working on improving memory safety in Chrome, and also hardened the browser against the exploitation of use-after-free vulnerabilities.

Despite these efforts, dozens of use-after-free issues were documented in the browser last year, most of them rated ‘high severity’.

The latest Chrome iteration is now rolling out as version 120.0.6099.199 for macOS and Linux and as versions 120.0.6099.199/200 for Windows. Google updated Chrome’s extended stable channel to version 120.0.6099.199 for macOS and to version 120.0.6099.200 for Windows.

The internet giant makes no mention of any of the vulnerabilities patched with this Chrome update being exploited in the wild.

Related: Google Rushes to Patch Eighth Chrome Zero-Day This Year

Related: Chrome 120 Update Patches High-Severity Vulnerabilities

Related: Mozilla Patches Firefox Vulnerability Allowing Remote Code Execution, Sandbox Escape

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.