An update released this week by Google for Chrome 87 patches 16 vulnerabilities, including 14 rated high severity. The company has awarded more than $100,000 for these vulnerabilities.
These security flaws can be exploited remotely by unauthenticated attackers to execute arbitrary code and compromise the targeted systems. To trigger the weaknesses, an adversary would need to craft a malicious page and trick the user into visiting it.
Eight of the addressed vulnerabilities are use-after-free bugs impacting various components of the web browser.
The most important of these use-after-free issues affect autofill, drag and drop, and media components, and are tracked as CVE-2021-21106, CVE-2021-21107, and CVE-2021-21108, respectively.
Google paid the reporting security researchers $20,000 for each of these vulnerabilities.
Next in line are CVE-2021-21109 and CVE-2021-21110, use-after-free bugs in payments and safe browsing, respectively. The reporting researchers received $15,000 bug bounties for each of the bugs.
Google also addressed a use-after-free in Blink (CVE-2021-21112), for which it paid a $7,500 bounty reward, and two more in audio (CVE-2021-21114) and safe browsing (CVE-2021-21115), but hasn’t issued monetary rewards for them yet.
Other high-risk flaws the new browser release fixes include insufficient policy enforcement in WebUI (CVE-2021-21111), heap buffer overflow in Skia (CVE-2021-21113), insufficient data validation in networking (CVE-2020-16043), and out of bounds write in V8 (CVE-2020-15995).
Google also addressed high-severity memory corruption vulnerabilities that were identified internally, and which were not issued CVE identifiers, as well as medium-severity bugs.
Chrome 87.0.4280.141 is rolling out for Windows, Linux, and macOS. Users are advised to update to the new release to remain protected.
In an alert issued on Thursday, the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that these vulnerabilities represent a high risk for large and medium government and business entities and advised them to update as soon as possible.