Chrome 92 (92.0.4515.131), the Google security update issued for Windows, Mac, and Linux has patched at least 10 vulnerabilities. Chrome 92, is an update that improves browser efficiency on phish calculations, extends the scope of user website isolation technologies, and includes a few new 'Chrome Actions' to the repertory.
The search giant established in California has awarded over $133,000 in rewards to users who identified some 35 vulnerabilities addressed in Chrome 92. At least 9 of the flaws were categorized under high severity, the current highest threat level from Google.
The 360 Alpha Lab team from the Chinese cybersecurity company Qihoo 360's researchers Leecraso and Guang Gong have won $20,000 for detecting a high-severity vulnerability identified as CVE-2021-30590. The issue was described as a bookmark buffer overflow by Google.
Leecraso told the SecurityWeek team that, CVE-2021-30590 is an issue of sandbox escape that could be "exploited with an extension or a compromised renderer." An intruder can exploit the fault to remotely execute code outside of the sandbox of Chrome. The vulnerability might be leveraged to breakout from the browser's sandbox because of its out-of-bounds write. And it would only need the user to download the extension to take advantage of.
Google Chrome Sandbox is a creation and test environment for Google Chrome-based applications developers. A test and staging infrastructure is provided by the sandbox environment without the code getting tested for modifications to current code and databases.
Two vulnerabilities uncovered by researcher David Erceg have also been rated with a high level of severity. CVE-2021-30592, characterized as an off-bound writing problem on Google's Tab Groups, rewarded him $10,000, while CVE-2021-30593 has earned him a $5,000 bug reward, which was defined as an out-of-bounds read bug in Tab Strips.
“CVE-2021-30592 would require a malicious extension to be installed,” Erceg told SecurityWeek. “As for CVE-2021-30593,” he added, “it would be easier to trigger with an extension, though a web page could trigger the behavior under some more restricted circumstances. The impact is similar to CVE-2021-30592, in that an attacker could potentially escape the sandbox if they could set up memory in the appropriate way before the out-of-bounds read occurs. This issue could also be exploited on its own, but it does require some more specific interaction from the user.”
CVE-2021-30591, an after-free flaw within the File System API is yet another elevated vulnerability that Google paid out at $20,000. Reportedly, it was discovered by the Researcher SorryMybad of Kunlun Lab.
It is worthy to be noted that Google pays up to $20,000 for Chrome's vulnerabilities of escape sandbox revealed in a high-quality report. If researchers additionally offer a functioning exploit, they can receive up to $30,000 for such flaws.
Consumers must upgrade Chrome as soon as possible, given that the web browser seems to be increasingly targeted for malicious activity. It is worth noting that this year, Google fixed over half a dozen of zero-day vulnerabilities that were being actively exploited.
