Google has unveiled its latest Chrome 115 update, a significant move aimed at addressing vulnerabilities within the popular web browser. In total, the update tackles 17 vulnerabilities, 11 of which were brought to light by external researchers.
Of particular note are the three high-severity type confusion bugs in the V8 JavaScript and WebAssembly engine, which have garnered the reporting researchers more than $60,000 in bug bounties. The company has shown its appreciation by awarding a total of $43,000 in rewards to a security researcher named ‘Jerry’, who identified two of these V8 issues, marked as CVE-2023-4068 and CVE-2023-4070. Furthermore, a $21,000 bug bounty has been granted to Man Yue Mo from GitHub Security Lab, who reported the third type confusion bug, CVE-2023-4069.
This Chrome update doesn’t stop there – it also effectively addresses six other high-severity vulnerabilities. Among these, CVE-2023-4071, identified as a heap buffer overflow bug in Visuals, takes the lead in terms of severity.
Following closely are an out-of-bounds read and write issue in WebGL (CVE-2023-4072), and an out-of-bounds memory access flaw in the ANGLE graphics engine abstraction layer (CVE-2023-4073). The remaining high-severity security defects, three in number, were externally reported and revolve around use-after-free vulnerabilities in Blink Task Scheduling, Cast, and WebRTC.
In addition to these critical fixes, the Chrome 115 update also addresses two medium-severity bugs in Extensions, specifically related to insufficient data validation and an inappropriate implementation issue.
Google’s commitment to enhancing cybersecurity is evident through the total bug bounty rewards amounting to $123,000 that were distributed to the diligent reporting researchers. The updated version of Chrome, numbered 115.0.5790.170, has begun its rollout for Mac and Linux users, with versions 115.0.5790.170/.171 catering to Windows users. Notably, Google has stated that there is no indication of any of these vulnerabilities being exploited in attacks, emphasizing its proactive approach to security.
