Google has released Chrome version 116.0.5845.96 to address multiple vulnerabilities in the browser. This update includes patches for a total of 27 vulnerabilities, with 21 of them reported by external researchers. The high-severity vulnerabilities mainly involve memory safety issues. Google has rewarded researchers for discovering three specific vulnerabilities, assigned the CVE numbers CVE-2023-4349 [3], CVE-2023-4350 [1] [2] [3] [5] [6], and CVE-2023-4351 [3] [5] [6]. The remaining externally-reported vulnerabilities were rated as medium-severity and encompassed various issues such as heap buffer overflow [5], insufficient validation of untrusted input [4] [5], use-after-free issues [1] [2] [5], and inappropriate implementation bugs [4] [5].
Description
In addition to the reported vulnerabilities, a new vulnerability [2] [6], identified as CVE-2023-4368 [6], has been discovered in Google Chrome [3]. This vulnerability allows a remote attacker to bypass security restrictions by exploiting insufficient policy enforcement in the Extensions API [6]. The risk level of this vulnerability is 6.5 [6], and its exploitability is unproven [6]. It is important to note that no attacks exploiting these vulnerabilities have been reported.
Google has acknowledged the researchers who reported these vulnerabilities and rewarded them with a total of $63,000 in bug bounty rewards. Users are advised to update their Google Chrome to version 116.0.5845.96 or later to mitigate these issues [7]. The update can be obtained through the auto-update mechanism or manually by visiting the “About Google Chrome” page [7]. After updating, it is recommended to relaunch Google Chrome for the changes to take effect [7].
Conclusion
This security update from Google addresses multiple vulnerabilities in Chrome [7], including high-severity memory safety issues. The company has rewarded researchers for their contributions and urges users to update their browsers to the latest version to protect against potential attacks. The discovery of a new vulnerability highlights the ongoing need for vigilance and prompt updates to ensure the security of Chrome users.
References
[1] https://www.infosecurity-magazine.com/news/google-26-bugs-fake-update-warning/
[2] https://www.forbes.com/sites/daveywinder/2023/08/16/critical-google-security-holes-addressed-in-bumper-chrome-116-update/
[3] https://www.hkcert.org/security-bulletin/google-chrome-multiple-vulnerabilities20230816
[4] https://www.itechtics.com/chrome-116/
[5] https://silentquadrant.com/blog/google-quantum-resilient-security-key-implementation-chrome-116-patches
[6] https://www.redpacketsecurity.com/google-chrome-security-bypass-cve-2023-4368/
[7] https://www.govcert.gov.hk/en/alertsdetail.php?id=1089
