Google on Monday released the latest stable version of Chrome that includes patches for 30 vulnerabilities, including five high severity issues.
The company paid out $23,500 to external researchers for the vulnerabilities, including $7,500 for a type confusion vulnerability in V8, the open source JavaScript engine Google uses for the browser. The fix was a relatively quick one for Google; Zhao Qixun, a researcher with Qihoo 360’s Vulcan Team, discovered the vulnerability just three weeks ago.
The update also helps resolve a high severity out-of-bounds read vulnerability in V8, two high severity use-after-free vulnerabilities–one in the browser’s print preview feature, another in its Bluetooth app functionality–and a vulnerability that could have enabled address spoofing in the browser’s Omnibox address bar.
Address spoofing vulnerabilities continue to be a problem for Chrome. Google has fixed roughly a dozen of them in the browser since last September, including three in Monday’s Chrome 59 update, three in April’s Chrome 58 update – including one that could’ve led to unicode phishing attacks, two in Chrome 57 in March, and two in Chrome 56 in January. Attackers traditionally used the vulnerabilities to trick users into visiting unintended sites, often ones hosting malware.
The high, medium, and low-severity bugs in Chrome that earned bounties are:
- [$7500] [722756] High CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16
- [$3000] [715582] High CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26
- [$3000] [709417] High CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07
- [$2000] [716474] High CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28
- [$1000] [700040] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09
- [$2000] [678776] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05
- [$1000] [722639] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16
- [$1000] [719199] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06
- [$1000] [716311] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28
- [$1000] [711020] Medium CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12
- [$500] [713686] Medium CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20
- [$500] [708819] Medium CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05
- [$N/A] [672008] Medium CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07
- [$N/A] [721579] Low CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11
- [$N/A] [714849] Low CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24
- [$N/A] [692378] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15
The update also resolves a low severity issue in Blink, the rendering engine used by Chrome, that was more than two years in the making.
Daniel Veditz, a member of Mozila’s Security Team, pointed out in May 2015 that sendBeacon(), a method used to transmit data to a provided URL, allowed for the sending of POST requests with arbitrary content type.
@sirdarckcat XHR can also send any/content-type data. Like XHR, sendBeacon uses the CORS model.
— Dan Veditz (@dveditz) May 20, 2015
It took developers two years but a patch for the issue was finally merged into Chrome 59 on Monday, as well as into Chrome 60, expected to be released sometime in mid- July.
The update comes with a collection of non-security tweaks as well, including the ability to push native macOS notifications, and a new Chrome Settings page.
Absent from the update is a fix for a hack that could have let attackers automatically download a malicious file to a victim’s PC to steal credentials and launch SMB relay attacks. The vulnerability, described in detail last month, is tied to the way both Chrome and Windows handles .SCF files. Google told Threatpost at the time it was aware of the issue and “taking the necessary actions.”
The update comes a few days after Google reportedly told some of its publishers it plans to debut a new ad-blocking tool in the browser in 2018. The feature, which will be turned on by default according to the Wall Street Journal, will block ads from appearing on websites “that are deemed to provide a bad advertising experience for users.” The company gave publishers, agencies and advertisers a six-month heads up about its plans last week to help them better prepare.