Google announced the release of Chrome 93 for Windows, Mac and Linux that addresses a total of 27 flaws, including 19 vulnerabilities that were reported through its bug bounty program. Google paid over $130,000 in bounty rewards for the issues addressed with the Chrome 93.0.4577.63. release.
“The Chrome team is delighted to announce the promotion of Chrome 93 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.” reads the advisory. “Chrome 93.0.4577.63 contains a number of fixes and improvements — a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 93.”
The list of vulnerabilities addressed by Google includes five high-severity use-after-free flaws reported by external researchers.
The most severe flaw, tracked as CVE-2021-30606, is a use-after-free in Blink that was reported by 360 Alpha Lab researchers reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360 Alpha Lab. The bug was reported on ì2021-07-28 and Google awarded it with a $20,000 bounty reward.
The three remaining high-severity use-after-free issues were respectively tracked as CVE-2021-30607, CVE-2021-30608, and CVE-2021-30609. Below is the list of the issues and related awards:
Google also fixed a high-severity Use after free issue, tracked as CVE-2021-30610, in Extensions API. The Use after free in Extensions API. The vulnerability was reported Igor Bukanov from Vivaldi on 2021-04-19,
Another 12 medium-severity vulnerabilities included five use-after-free issues, affecting WebRTC, Base internals, Media, and WebApp Installs. The flaws received bounty rewards from $10,000 up to $20,000.
Google also fixed other medium-severity vulnerabilities including cross-origin data leak, heap buffer overflow, policy bypass, inappropriate implementation, UI spoofing (two bugs), and insufficient policy enforcement.
Google also paid a $10,000 reward for a low-severity issue.
(SecurityAffairs – hacking, Google)