Headline
Google Quashes 5 High-Severity Bugs With Chrome 106 Update
External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.
Chrome is touting beefed-up security with the release of Chrome 106, which fixes 20 existing bugs, five of them high-severity.
Of the 20 total security fixes included, 16 were found by external researchers through Google’s bug bounty program. A blog post from Google Chrome’s Srinivas Sista listed the specific CVEs spotted by the bug bounty hunters, including five designated high-severity, which are as follows:
- CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01
- CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09
- CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24
- CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27
- CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08
The biggest external researcher payout for far a bug that contributed to the latest Chrome 106 security update, according to Sista, was $9,000, the lowest was $1,000. Many payout amounts for other Chrome bug hunters are listed as “$TBD.”
As usual, Google did not list any technical details of the bugs.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” Sista wrote. “As usual, our ongoing internal security work was responsible for a wide range of fixes.”
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe
Related news
Gentoo Linux Security Advisory 202311-11 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.10_p20230623 are affected.
platform_callback_stub in misc subsystem within OpenHarmony-v3.0.5 and prior versions has an authentication bypass vulnerability which allows an "SA relay attack".Local attackers can bypass authentication and attack other SAs with high privilege.
Use after free in media in Google Chrome prior to 106.0.5249.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)
Use after free in survey in Google Chrome on ChromeOS prior to 106.0.5249.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)
Use after free in survey in Google Chrome on ChromeOS prior to 106.0.5249.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)
Use after free in CSS in Google Chrome prior to 106.0.5249.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)
By Jon Munshaw and Vanja Svajcer. Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line, including seven critical issues in Windows’ point-to-point tunneling protocol. October's security update features 11 critical vulnerabilities, with the remainder being “important.” One of the most notable vulnerabilities Microsoft fixed this month is CVE-2022-41038, a remote code execution issue in Microsoft SharePoint. There are several other SharePoint vulnerabilities included in this month’s Patch Tuesday, though this seems the most severe, as Microsoft continues it to be “more likely” to be exploited. An attacker must be authenticated to the target site with the correct permissions to use manage lists in SharePoint to exploit this vulnerability, and eventually gain the ability to execute remote code on the SharePoint server. CVE-2022-37968, an elevation of privilege vulnerability in Azure Arc Connect, has th...
Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line.
Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line.
By Waqas According to researchers, Google Chrome, Mozilla Firefox, and Microsoft Edge browser contained the most vulnerabilities in 2022. This is a post from HackRead.com Read the original post: Apple Safari Safest, Google Chrome Riskiest Browser of 2022- Study
Gentoo Linux Security Advisory 202209-23 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 105.0.5195.125 are affected.
Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page.
Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page.