Google has just confirmed the second clutch of security updates for the Chrome browser in July. Version 103.0.5060.134 for all Windows, Mac, and Linux users will become available in the coming days. While this update will roll out automatically, users who don’t restart their browser regularly are advised to check manually and force the security patch activation.
In total, this update to Chrome 103.0.5060.134 fixes 11 security issues. Five of these were discovered by internal security audits and ‘fuzzing’ which is an automatic process looking for exceptions when providing unexpected or random inputs. The remaining six issues are vulnerabilities uncovered by security researchers. Unlike the first Chrome update this month, none are zero days where attackers are known to be already exploiting them in the wild. It would also appear that there are no security fixes in the Android Chrome update announced at the same time.
Five of the six vulnerabilities are rated as high impact, with the sixth being a low impact issue. In total, $33,500 in bug bounties was awarded to the researchers who disclosed the vulnerabilities. Some $23,000 of this went to just two researchers, one of which, surprisingly, was for that low-impact vulnerability.
As usual, there is little detailed information available currently. Google sensibly withholds this until such a time as a majority of the userbase has had the opportunity to update. Here’s what we do know:
- $16,000 was awarded to an anonymous researcher for a high-rated use after free vulnerability CVE-2022-2477 in guest view.
- $7,500] was awarded to ‘triplepwns’ for a high-rated use after free vulnerability CVE-2022-2478 in PDF.
- $3,000 was awarded to an anonymous researcher for a high-rated vulnerability CVE-2022-2479 involving insufficient validation of untrusted input in files
- Two further high-rated vulnerabilities, CVE-2022-2480 and CVE-2022-2481, from Sergei Glazunov (a member of the Google Project Zero team) and YoungJoo Lee respectively, have yet to have any bounty awarded. The first is a use after free in the service worker API and the second a use after free in views.
- $7,000 was awarded to Chaoyuan Peng for the low-rated use after free vulnerability CVE-2022-2163 in cast user interface and toolbar.