Google patches multiple Chrome vulnerabilities, including RCE.

The stable release 84.0.4147.105 of Chrome web browser which is out for Windows and Mac fixes a number of vulnerabilities ranging from low to high severity.

Update for Linux distros is expected to be rolled out in the upcoming days.

If exploited, some of these vulns. could have enabled attackers to execute arbitrary code remotely on the victims’ machines.

A list of vulns., security researchers who reported it, as well as the bug bounty offered to them by Google has been announced on the release updates page.

• [$10000][1105318] High CVE-2020-6537: Type Confusion in V8.
  Reported by Alphalaab on 2020-07-14
  
• [$N/A][1096677] High CVE-2020-6538: Inappropriate implementation in WebView.
  Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab (腾讯安全玄武实验室） on 2020-06-18
  
• [$TBD][1104061] High CVE-2020-6532: Use after free in SCTP.
  Reported by Anonymous on 2020-07-09
  
• [$N/A][1105635] High CVE-2020-6539: Use after free in CSS.
  Reported by Oriol Brufau on 2020-07-14
  
• [$TBD][1105720] High CVE-2020-6540: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-07-15
  
• [$N/A][1106773] High CVE-2020-6541: Use after free in WebUSB. Reported by Sergei Glazunov of Google Project Zero on 2020-07-17

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Prudhvikumar Bommana, Technical Program Manager at Google.

Google’s internal security teams have also been credited with implementing a number of fixes after having discovered bugs, as the page explains.

“[1109361] Various fixes from internal audits, fuzzing, and other initiatives. Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.”

Users are advised to update their Chrome browsers to version 84.0.4147.105 or above.

About the author

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

See author's posts