Security
Headlines
HeadlinesLatestCVEs

Headline

Google Quashes 5 High-Severity Bugs With Chrome 106 Update

External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.

DARKReading
#vulnerability#google#chrome

Chrome is touting beefed-up security with the release of Chrome 106, which fixes 20 existing bugs, five of them high-severity.

Of the 20 total security fixes included, 16 were found by external researchers through Google’s bug bounty program. A blog post from Google Chrome’s Srinivas Sista listed the specific CVEs spotted by the bug bounty hunters, including five designated high-severity, which are as follows:

  • CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01
  • CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09
  • CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24
  • CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27
  • CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08

The biggest external researcher payout for far a bug that contributed to the latest Chrome 106 security update, according to Sista, was $9,000, the lowest was $1,000. Many payout amounts for other Chrome bug hunters are listed as “$TBD.”

As usual, Google did not list any technical details of the bugs.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” Sista wrote. “As usual, our ongoing internal security work was responsible for a wide range of fixes.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Related news

Gentoo Linux Security Advisory 202311-11

Gentoo Linux Security Advisory 202311-11 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.10_p20230623 are affected.

CVE-2023-0036: en/security-disclosure/2023/2023-01.md · OpenHarmony/security - Gitee.com

platform_callback_stub in misc subsystem within OpenHarmony-v3.0.5 and prior versions has an authentication bypass vulnerability which allows an "SA relay attack".Local attackers can bypass authentication and attack other SAs with high privilege.

CVE-2022-3307

Use after free in media in Google Chrome prior to 106.0.5249.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

CVE-2022-3306

Use after free in survey in Google Chrome on ChromeOS prior to 106.0.5249.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

CVE-2022-3305

Use after free in survey in Google Chrome on ChromeOS prior to 106.0.5249.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

CVE-2022-3304: Stable Channel Update for Desktop

Use after free in CSS in Google Chrome prior to 106.0.5249.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

Microsoft Patch Tuesday for October 2022 — Snort rules and prominent vulnerabilities

By Jon Munshaw and Vanja Svajcer. Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line, including seven critical issues in Windows’ point-to-point tunneling protocol.  October's security update features 11 critical vulnerabilities, with the remainder being “important.”   One of the most notable vulnerabilities Microsoft fixed this month is CVE-2022-41038, a remote code execution issue in Microsoft SharePoint. There are several other SharePoint vulnerabilities included in this month’s Patch Tuesday, though this seems the most severe, as Microsoft continues it to be “more likely” to be exploited.  An attacker must be authenticated to the target site with the correct permissions to use manage lists in SharePoint to exploit this vulnerability, and eventually gain the ability to execute remote code on the SharePoint server.   CVE-2022-37968, an elevation of privilege vulnerability in Azure Arc Connect, has th...

Microsoft Patch Tuesday for October 2022 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line.

Microsoft Patch Tuesday for October 2022 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line.

Apple Safari Safest, Google Chrome Riskiest Browser of 2022- Study

By Waqas According to researchers, Google Chrome, Mozilla Firefox, and Microsoft Edge browser contained the most vulnerabilities in 2022. This is a post from HackRead.com Read the original post: Apple Safari Safest, Google Chrome Riskiest Browser of 2022- Study

Gentoo Linux Security Advisory 202209-23

Gentoo Linux Security Advisory 202209-23 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 105.0.5195.125 are affected.

CVE-2022-3201

Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page.

CVE-2022-3201: Stable Channel Update for Desktop

Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page.

DARKReading: Latest News

Apple Urgently Patches Actively Exploited Zero-Days