"Chrome 120 Patches 10 Vulnerabilities"

Google recently announced the release of Chrome 120 to the stable channel with patches for 10 vulnerabilities.  According to Google, of the resolved issues, five were reported by external researchers, who received a total of $15,000 in bug bounty rewards.  Based on the reward handed out, the most serious of the flaws is CVE-2023-6508, a high-severity use-after-free issue in Media Stream.  Google says it paid out $10,000 for the bug.  Next in line is CVE-2023-6509, a high-severity use-after-free defect that impacts Chrome’s Side Panel Search component.  Google noted that the latest browser release also resolves a medium-severity use-after-free vulnerability in Media Capture and two low-severity inappropriate implementation flaws in Autofill and Web Browser UI.  Use-after-free issues are a type of memory corruption bug that occurs when the pointer is not cleared after freeing memory allocation and could lead to the execution of arbitrary code, data corruption, or denial-of-service.  When combined with other vulnerabilities, use-after-free defects may be exploited to fully compromise a system.  Google noted that in Chrome, use-after-free flaws could be exploited to escape the sandbox.  For that, however, the exploitation of a security defect in the underlying operating system or in a privileged process is required.  The latest Chrome iteration is now rolling out as version 120.0.6099.62 for macOS and Linux and as versions 120.0.6099.62/.63 for Windows.  Google also announced that it has updated the Chrome Extended Stable channel to version 120.0.6099.62 for macOS and to version 120.0.6099.63 for Windows.  Google makes no mention of any of the addressed vulnerabilities being exploited in malicious attacks.

 

SecurityWeek reports: "Chrome 120 Patches 10 Vulnerabilities"

Submitted by Adam Ekwall on