Google on Tuesday announced the release of Chrome 120 to the stable channel with patches for 10 vulnerabilities.
Of the resolved issues, five were reported by external researchers, who received a total of $15,000 in bug bounty rewards, according to Google's advisory.
Based on the reward handed out, the most serious of the flaws is CVE-2023-6508, a high-severity use-after-free issue in Media Stream.
Next in line is CVE-2023-6509, a high-severity use-after-free defect that impacts Chrome's Side Panel Search component.
The latest browser release also resolves a medium-severity use-after-free vulnerability in Media Capture, and two low-severity inappropriate implementation flaws, in Autofill and Web Browser UI. A type of memory corruption bugs that occur when the pointer is not cleared after freeing memory allocation, use-after-free issues could lead to the execution of arbitrary code, to data corruption, or denial-of-service.
When combined with other vulnerabilities, use-after-free defects may be exploited to fully compromise a system.
In Chrome, use-after-free flaws could be exploited to escape the sandbox.
For that the exploitation of a security defect in the underlying operating system or in a privileged process is required.
Google has long fought memory corruption bugs and last year announced improved protections against the exploitation of use-after-free vulnerabilities in Chrome.
The latest Chrome iteration is now rolling out as version 120.0.6099.62 for macOS and Linux and as versions 120.0.6099.62/.63 for Windows.
Google also announced that it has updated the Chrome Extended Stable channel to version 120.0.6099.62 for macOS and to version 120.0.6099.63 for Windows.
The internet giant makes no mention of any of the addressed vulnerabilities being exploited in malicious attacks.
Last week, Google pushed a Chrome security update to address CVE-2023-6345, the seventh zero-day flaw documented in the browser in 2023.
This Cyber News was published on www.securityweek.com. Publication date: Wed, 06 Dec 2023 15:28:05 +0000