"Chrome 110 Patches 15 Vulnerabilities"

Google recently announced that the first stable release of Chrome 110 brings 15 security fixes, including ten that address vulnerabilities reported by external researchers.  Of the externally reported bugs, three are rated high severity.  Google noted that these include a type confusion flaw in the V8 engine, an inappropriate implementation issue in full screen mode, and an out-of-bounds read vulnerability in WebRTC.  Tracked as CVE-2023-0696, the first of the security defects is described as a heap corruption that can be exploited remotely via a crafted HTML page.  Google paid a $7,000 bug bounty to the reporting researcher.  Google noted that the second high-severity flaw, CVE-2023-0697, impacts Chrome for Android and could allow a remote attacker to use a crafted HTML page to spoof the contents of the security UI.  Google rewarded the reporting researcher $4,000 for this bug.  The third issue, CVE-2023-0698, could be exploited remotely via an HTML page to perform an out-of-bounds memory read.  The reporting researcher received a $2,000 bug bounty for the find.  Google noted that Chrome 110 also resolves five medium-severity vulnerabilities reported by external researchers, including a use-after-free flaw in GPU, an inappropriate implementation bug in Download, a heap buffer overflow defect in WebUI, and two types of confusion issues in Data Transfer and DevTools.  Google says it handed out over $26,000 in bug bounty rewards to the reporting researchers.  Google did not mention whether these vulnerabilities were ever exploited in attacks.  The latest Chrome release is rolling out to users as versions 110.0.5481.77/.78 for Windows and version 110.0.5481.77 for Mac and Linux.  The iOS and Android versions of the browser have been updated to 110.0.5481.83 and 110.0.5481.63/.64, respectively.

SecurityWeek reports: "Chrome 110 Patches 15 Vulnerabilities"