Chrome 105 Patches Critical, High-Severity Vulnerabilities


Google this week announced the first stable release of Chrome 105, which comes with patches for 24 vulnerabilities, including 13 use-after-free and heap buffer overflow bugs.

Google this week announced the first stable release of Chrome 105, which comes with patches for 24 vulnerabilities, including 13 use-after-free and heap buffer overflow bugs.

Twenty-one of the resolved security defects were reported by external researchers, including one critical-, eight high-, nine medium-, and three low-severity vulnerabilities.

A total of nine use-after-free issues were resolved with the latest browser update, the most important of which is a critical flaw in the Network Service component, reported by Google Project Zero researcher Sergei Glazunov, the company notes in an advisory.

Chrome 105 also patches five high-severity use-after-free vulnerabilities, impacting browser components such as WebSQL, Layout, PhoneHub, and Browser Tag.

Google says it handed out between $5,000 and $10,000 for four of the issues, but has yet to determine the amount to be paid for the fifth.

Other high-severity bugs the latest Chrome update resolves include a heap buffer overflow in Screen Capture, an inappropriate implementation in Site Isolation, and an insufficient validation of untrusted input in V8.

Three of the medium-severity flaws that Chrome 105 patches are heap buffer overflow bugs, two are use-after-free issues, two insufficient policy enforcements, and two inappropriate implementations.

Google says it has paid more than $60,000 in bug bounty rewards to the reporting researchers, but the internet giant has yet to determine the amount to be paid for five of the bugs and the total amount could be higher.

The latest browser iteration is now rolling out to Mac and Linux users as Chrome 105.0.5195.52 and to Windows users as Chrome 105.0.5195.52/53/54.

Google made no mention of any of these vulnerabilities being exploited in malicious attacks.

So far this year, there have been five documented Chrome zero-day vulnerabilities exploited in attacks. The most recent of them was addressed roughly two weeks ago.


By Ionut Arghire on Wed, 31 Aug 2022 10:02:13 +0000
Original link