November 1, 2023 at 10:23AM
Google has released Chrome version 119, which includes patches for 15 vulnerabilities, with 13 of them reported by external researchers. Three bugs are rated as ‘high severity.’ Google has awarded $16,000 and $11,000 for the first two bugs respectively, with the amount for the third bug yet to be determined. The remaining vulnerabilities are rated as ‘medium’ or ‘low’ severity. Google has paid over $40,000 in bug bounties to researchers. The bugs will only be made public once the majority of users have updated their browsers.
During the meeting, Google announced the release of Chrome version 119 to the stable channel, which includes patches for 15 vulnerabilities. Thirteen of these vulnerabilities were reported by external researchers.
Three of the externally reported bugs are rated as ‘high’ severity. They are described as inappropriate implementation in Payments (CVE-2023-5480), insufficient data validation in USB (CVE-2023-5482), and integer overflow in USB (CVE-2023-5849). Google has already paid out $16,000 for the first flaw and $11,000 for the second. The amount for the third bug has yet to be determined.
The remaining ten security defects reported by external researchers include eight with a severity rating of ‘medium’ and two with a severity rating of ‘low’.
Half of the medium-severity bugs are use-after-free issues impacting various components of Chrome such as Printing, Profiles, Reading Mode, and Side Panel. The other half includes two incorrect security UI issues and two inappropriate implementation flaws in Downloads.
The low-severity defects addressed in this release include an inappropriate implementation in WebApp Provider and an incorrect security UI in ‘Picture In Picture’.
Google has paid out over $40,000 in bug bounty rewards to the researchers who reported these vulnerabilities. However, the final amount may be higher as the bounties for three bugs are yet to be determined.
Access to these bugs will remain restricted by Google until a majority of users have updated to the fixed versions.
Chrome version 119.0.6045.105 is now available for Linux and macOS, while Windows users will receive versions 119.0.6045.105/.106.
Chrome for Android has also been updated with the same security fixes, and the iOS version of Chrome has been updated as well.
Google has not mentioned any exploitation of these vulnerabilities in the wild.