Virtual Event Now Live: Cloud Security Summit | July 17 - Access Livestream
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Six Vulnerabilities With First Chrome Update of 2024

Google has released a Chrome 120 update to resolve six vulnerabilities, including four reported by external researchers.

Google on Wednesday announced the first Chrome security update of 2024, which resolves six vulnerabilities, including four reported by external researchers.

All the four externally reported security defects are high-severity memory safety flaws, but bug bounty rewards were handed out only for three of them, Google notes in its advisory.

The first two bugs, tracked as CVE-2024-0222 and CVE-2024-0223, are use-after-free and heap buffer overflow vulnerabilities in the graphics rendering engine ANGLE.

Both issues were reported by Qrious Secure researchers, who received $15,000 bug bounty rewards for each of them.

The third bug, CVE-2024-0224, is a use-after-free defect in Chrome’s WebAudio component. Google says it handed out a $10,000 bug bounty for this flaw to the Ant Group Light-Year Security Lab researcher who reported it.

The latest Chrome update also resolves a use-after-free vulnerability in WebGPU. The bug is tracked as CVE-2024-0225 and Google has yet to disclose the bug bounty amount to be paid to the reporting researcher.

Use-after-free issues occur when the pointer is not cleared when freeing memory allocation and typically lead to arbitrary code execution, data corruption, or denial-of-service.

In Chrome, use-after-free bugs can be exploited to escape the browser’s sandbox, if the attacker targets a flaw in the underlying operating system or in a privileged process.

Advertisement. Scroll to continue reading.

Google has been long working on improving memory safety in Chrome, and also hardened the browser against the exploitation of use-after-free vulnerabilities.

Despite these efforts, dozens of use-after-free issues were documented in the browser last year, most of them rated ‘high severity’.

The latest Chrome iteration is now rolling out as version 120.0.6099.199 for macOS and Linux and as versions 120.0.6099.199/200 for Windows. Google updated Chrome’s extended stable channel to version 120.0.6099.199 for macOS and to version 120.0.6099.200 for Windows.

The internet giant makes no mention of any of the vulnerabilities patched with this Chrome update being exploited in the wild.

Related: Google Rushes to Patch Eighth Chrome Zero-Day This Year

Related: Chrome 120 Update Patches High-Severity Vulnerabilities

Related: Mozilla Patches Firefox Vulnerability Allowing Remote Code Execution, Sandbox Escape

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Anirban Sengupta has been named the CTO and SVP of Engineering of cloud networking and security firm Aviatrix.

Axonius has named Nick Degnan as its first Chief Revenue Officer and Rob Casselman as its first Chief Customer Officer.

Craig Boundy has left Experian to join McAfee as President and CEO.

More People On The Move

Expert Insights