"Chrome 111 Patches 40 Vulnerabilities"
Google recently announced the release of Chrome 111 to the stable channel with patches for 40 vulnerabilities. A total of 24 of the addressed security defects were reported by external researchers. These include eight high-severity flaws, 11 medium-severity bugs, and five low-severity issues. Google noted that three of the high-severity vulnerabilities reported by external researchers are use-after-free bugs impacting Swiftshader, DevTools, and WebRTC, for which they handed out bounty rewards of $15,000, $4,000, and $3,000, respectively. Google's advisory also mentions two type confusion flaws in V8 and CSS, awarded $10,000 and $7,000, respectively, a stack buffer overflow issue in Crash reporting, for which a $3,000 reward was paid, and two heap buffer overflow bugs in Metrics and UMA, for which rewards have yet to be determined. Six of the externally reported medium-severity flaws are insufficient policy enforcement bugs impacting browser components such as extensions API, autofill, web payments API, navigation, and intents. Additionally, Chrome 111 resolves medium-severity inappropriate implementation issues in permission prompts, WebApp installs, and autofill, a heap buffer overflow bug in the Web Audio API, and a use-after-free vulnerability in Core. Google noted that the externally reported low-severity defects resolved with this browser update include two insufficient policy enforcement issues in Resource Timing, an inappropriate implementation flaw in intents, a type confusion bug in DevTools, and an inappropriate implementation vulnerability in Internals. Google says it paid more than $90,000 in bug bounty rewards to the reporting researchers, but the total amount could be much higher, as the company has yet to determine the amounts to be handed out for several vulnerability reports. Google did not mention if any of these vulnerabilities have been exploited in attacks. The latest Chrome iteration is currently rolling out as versions 111.0.5563.64/.65 for Windows and version 111.0.5563.64 for Linux and macOS.
SecurityWeek reports: "Chrome 111 Patches 40 Vulnerabilities"