UPDATE Google is urging users to update their Chrome desktop browsers to avoid security issues related to a high-severity stack-based buffer overflow vulnerability. Google issued the alert Thursday and said an update for most browsers has been released.
“The stable channel has been updated to 62.0.3202.75 for Windows, Mac and Linux which will roll out over the coming days/weeks,” wrote Abdul Syed, a Google Chrome engineer, in a security bulletin to Google’s Chrome Release blog.
The bug is tied to the browser’s Chrome V8 open-source JavaScript engine used on Windows 7 and later, macOS 10.5 and later and Linux systems that use processors Intel Architecture 32-bit (i386), ARM or MIPS, according to Google.
Google is not releasing any details surrounding this stack buffer overflow vulnerability (CVE-2017-15396) stating, “access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain (disclosure) restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” Chrome V8 is written in C++ and in Node.js and can be embedded into any C++ applications or can run standalone, according to Google.
This type of bug typically allows attackers to execute arbitrary code within the context of a targeted application. A failed exploit attempt causes a denial-of-service condition, according to an OWASP Foundation description of the vulnerability.
According to an analysis of the vulnerability by researchers at Risk Based Security, the flaw is in the International Components for Unicode for C/C++, which is a library used by V8. “Ultimately, while it does affected V8 and Chrome, the flawed code is not Google’s,” according to Risk Based Security. The vulnerability, a “NUL-terminated buffer handling buffer overflow, was made public Oct. 11, according to the firm.
The bug was reported by researcher Yu Zhou, of Ant-Financial Light-Year Security Lab on Sept. 30. He was awarded $3,000 for the discovery through Google’s bug bounty program.
In December of 2016, Google also addressed high-severity vulnerabilities in Chrome’s V8 JavaScript engine. One of the flaws is described as a “private property access in V8” vulnerability. The other V8 issue is a use after free vulnerability in V8.
The United States Computer Emergency Readiness Team issued an alert for the buffer overflow vulnerability on Friday.
On Thursday Google also released an update for Chrome for Android (62.0.3202.73) that fixes a memory leak bug and a “major crash issue,” according the advisory.
Google had previously updated the desktop Chrome 62 browser on Oct. 17. That update (62.0.3202.62) included 35 security updates, eight rated high severity and seven ranked medium. The largest bug bounty payout was $8,837 for a UXSS with HHTML vulnerability (CVE-2017-5124) and paid to an anonymous researcher. The flaw, according to a Red Hat description, is “found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim.”
(Article was updated with additional analysis by Risk Based Security on Oct. 27 at 5:30 pm ET)