Google on Monday released the latest stable version of Chrome that includes patches for 30 vulnerabilities, including five high severity issues.
The company paid out $23,500 to external researchers for the vulnerabilities, including $7,500 for a type confusion vulnerability in V8, the open source JavaScript engine Google uses for the browser. The fix was a relatively quick one for Google; Zhao Qixun, a researcher with Qihoo 360’s Vulcan Team, discovered the vulnerability just three weeks ago.
The update also helps resolve a high severity out-of-bounds read vulnerability in V8, two high severity use-after-free vulnerabilities–one in the browser’s print preview feature, another in its Bluetooth app functionality–and a vulnerability that could have enabled address spoofing in the browser’s Omnibox address bar.
Address spoofing vulnerabilities continue to be a problem for Chrome. Google has fixed roughly a dozen of them in the browser since last September, including three in Monday’s Chrome 59 update, three in April’s Chrome 58 update – including one that could’ve led to unicode phishing attacks, two in Chrome 57 in March, and two in Chrome 56 in January. Attackers traditionally used the vulnerabilities to trick users into visiting unintended sites, often ones hosting malware.
The high, medium, and low-severity bugs in Chrome that earned bounties are:
The update also resolves a low severity issue in Blink, the rendering engine used by Chrome, that was more than two years in the making.
Daniel Veditz, a member of Mozila’s Security Team, pointed out in May 2015 that sendBeacon(), a method used to transmit data to a provided URL, allowed for the sending of POST requests with arbitrary content type.
> @sirdarckcat XHR can also send any/content-type data. Like XHR, sendBeacon uses the CORS model.
>
> — Daniel Veditz (@dveditz) May 20, 2015
It took developers two years but a patch for the issue was finally merged into Chrome 59 on Monday, as well as into Chrome 60, expected to be released sometime in mid- July.
The update comes with a collection of non-security tweaks as well, including the ability to push native macOS notifications, and a new Chrome Settings page.
Absent from the update is a fix for a hack that could have let attackers automatically download a malicious file to a victim’s PC to steal credentials and launch SMB relay attacks. The vulnerability, described in detail last month, is tied to the way both Chrome and Windows handles .SCF files. Google told Threatpost at the time it was aware of the issue and “taking the necessary actions.”
The update comes a few days after Google reportedly told some of its publishers it plans to debut a new ad-blocking tool in the browser in 2018. The feature, which will be turned on by default according to the Wall Street Journal, will block ads from appearing on websites “that are deemed to provide a bad advertising experience for users.” The company gave publishers, agencies and advertisers a six-month heads up about its plans last week to help them better prepare.
bugs.chromium.org/p/chromium/issues/detail?id=490015
chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html
crbug.com/672008
crbug.com/678776
crbug.com/692378
crbug.com/700040
crbug.com/708819
crbug.com/709417
crbug.com/711020
crbug.com/713686
crbug.com/714849
crbug.com/715582
crbug.com/716311
crbug.com/716474
crbug.com/719199
crbug.com/721579
crbug.com/722639
crbug.com/722756
threatpost.com/chrome-browser-hack-opens-door-to-credential-theft/125686/
threatpost.com/google-chrome-57-browser-update-patches-high-severity-flaws/124235/
threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/
threatpost.com/high-severity-chrome-vulnerabilities-earn-researcher-32k-in-rewards/123363/
twitter.com/dveditz/status/600920852524244993
twitter.com/sirdarckcat
www.wsj.com/articles/google-will-help-publishers-prepare-for-a-chrome-ad-blocker-coming-next-year-1496344237