December 13, 2023 at 07:00AM
Google announced the release of Chrome 120 security update addressing nine vulnerabilities, with six reported by external researchers. The most severe resolved vulnerability is a type confusion bug in the V8 JavaScript engine, with CVE-2023-6702. Google paid out bug bounties totaling $50,000 and has restricted access to vulnerability details. The update is rolling out to macOS, Linux, and Windows users.
The key takeaways from the meeting notes are:
– Google has released Chrome 120 security update to address nine vulnerabilities, with six of them reported by external researchers.
– Five of the externally reported flaws have a severity rating of ‘high’, with the most severe being a type confusion bug in the V8 JavaScript engine, for which a $16,000 bug bounty was awarded.
– The remaining high-severity flaws are use-after-free bugs in the browser’s Blink, libavif, WebRTC, and FedCM components, for which bug bounties ranging from $6,000 to $7,000 were awarded.
– A medium-severity use-after-free vulnerability in CSS was also patched, with a $7,000 bounty paid out.
– Use-after-free vulnerabilities can lead to memory corruption and can potentially be exploited to execute arbitrary code, corrupt data, or cause denial-of-service.
– Google has restricted access to vulnerability details until most users apply the available fixes.
– The latest Chrome iteration, version 120.0.6099.109, is rolling out to macOS, Linux, and Windows users, and the extended channel for macOS has been updated to the same version.
– There is no mention of these security holes being exploited in the wild, and Google has patched seven zero-day vulnerabilities in Chrome in 2023.
This summary captures the main points of the meeting notes regarding the Chrome 120 security update and its associated vulnerabilities.