Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Google Pays $55,000 for High-Severity Chrome Browser Bug

Google pushes out major Chrome browser updates to fix multiple serious security defects.

Chrome

Google has pushed a major Chrome browser update to patch three vulnerabilities, including two high-severity memory safety bugs reported by external researchers.

The first of the externally reported issues, tracked as CVE-2024-12381, is a type confusion flaw in the V8 JavaScript engine that earned the reporting researcher a $55,000 bug bounty reward.

As customary, Google is keeping the technical details on this vulnerability restricted until patches have been rolled out for most users. Based on Google’s updated vulnerability rewards, it is highly likely that the security defect could be exploited to achieve remote code execution (RCE).

Prevalent in programming languages that lack memory safety mechanisms, such as C and C++, type confusion vulnerabilities occur when a resource with an incompatible type is accessed, which leads to logical errors.

Type confusion bugs in Chrome’s V8 JavaScript engine could allow threat actors to execute malicious code and potentially access sensitive information or compromise the user’s system.

Last week, Google patched another type confusion vulnerability in V8 reported by an external researcher, and announced that it handed out an $8,000 bug bounty reward. The issue is tracked as CVE-2024-12053.

The latest Chrome 131 update also resolves CVE-2024-12382, a use-after-free security defect in Chrome’s Translate component. Google has yet to disclose the bug bounty amount to be paid for this bug.

In addition to releasing two Chrome 131 security updates, Google also updated the browser’s Extended Stable channel twice over the past week. The latest version is now rolling out as version 130.0.6723.160 for Windows and macOS.

Advertisement. Scroll to continue reading.

The latest Chrome iteration is being distributed as versions 131.0.6778.139/.140 for Windows and macOS, and as version 131.0.6778.139 for Linux.

Google makes no mention of any of these vulnerabilities being exploited in the wild, but threat actors have been observed targeting flaws in Chrome’s V8 engine.

Related: Glove Stealer Malware Bypasses Chrome’s App-Bound Encryption

Related: High-Severity Vulnerabilities Patched in Zoom, Chrome

Related: Google Patches Critical Chrome Vulnerability Reported by Apple

Related: North Korean Hackers Exploited Chrome Zero-Day for Cryptocurrency Theft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.