Patch for 12 Security Vulnerabilities


The Chrome team has proudly announced that Chrome 123 has been promoted to the stable channel for users on Windows, Mac, and Linux.

This latest version, Chrome 123.0.6312.58 for Linux and 123.0.6312.58/.59 for Windows and Mac, is set to roll out progressively over the next few days and weeks.

It encompasses a slew of fixes and improvements aimed at enhancing user experience and security.

Security Fixes and Rewards

In an ongoing effort to fortify its defenses, this update includes patches for 12 security vulnerabilities.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:


The Chrome team has taken a cautious approach by restricting access to bug details and links until many users receive the updates.

This measure ensures that potential attackers do not exploit the vulnerabilities before they are widely patched.

Some of the fixes were made possible through the contributions of external researchers, highlighting the importance of community involvement in cybersecurity.

High Severity Vulnerabilities

  • CVE-2024-2625: Object Lifecycle Issue in V8
    This high-severity vulnerability was discovered by Ganjiang Zhou (@refrain_areu) of the ChaMd5-H1 team and reported on March 1, 2024.
  • It involves an object lifecycle issue within V8, Chrome’s JavaScript engine, which could potentially allow malicious actors to execute arbitrary code.

Medium Severity Vulnerabilities

  • CVE-2024-2626: Out of Bounds Read in Swiftshader
    Cassidy Kim (@cassidy6564) identified an out-of-bounds read in Swiftshader, reporting it on November 22, 2023.
  • This vulnerability earned a $10,000 reward for its discovery.
  • CVE-2024-2627: Use After Free in Canvas
    An anonymous researcher reported this use-after-free issue in Canvas on January 21, 2024, which was rewarded with $4,000.
  • CVE-2024-2628: Inappropriate Implementation in Downloads
    As reported by Ath3r1s on January 3, 2024, this vulnerability concerns an inappropriate implementation in the Downloads feature and was rewarded with $3,000.
  • CVE-2024-2629: Incorrect Security UI in iOS
    Muneaki Nishimura (nishimunea) discovered an incorrect security UI in iOS, reporting it on January 2, 2024, and receiving a $2,000 reward.
  • CVE-2024-2630: Inappropriate Implementation in iOS
    James Lee (@Windowsrcer) reported another inappropriate implementation in iOS on December 7, 2023, which was rewarded with $1,000.
  • CVE-2024-2631: Inappropriate Implementation in iOS
    Ramit Gangwar’s discovery of yet another inappropriate implementation in iOS, reported on January 29, 2024, also earned a $2,000 reward.

The Chrome team extends its gratitude to all the security researchers who collaborated with them during the development cycle, helping to identify and rectify security issues before the stable release.

This proactive approach to security, coupled with internal audits, fuzzing, and other initiatives, underscores Google’s commitment to safeguarding its users.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link