Google has updated the Chrome web browser again this week, an update which includes no less than 20 security fixes across the Windows, Mac, and Linux versions.
Eleven of these security issues are confirmed vulnerabilities and have been allocated Common Vulnerabilities and Exposures (CVE) numbers and associated criticality ratings. Users of all Chromium-powered browsers are advised to ensure they have been updated as soon as possible, with four vulnerabilities having a high CVE rating and six a medium one.
What Are The Four New Chrome Security Vulnerabilities With High Ratings?
The four Chrome security vulnerabilities that have been allocated a high CVE rating, and the hackers who reported them to Google awarded a total of $16,000 in bounties, are:
CVE-2023-3727 is a vulnerability in the Web Real-Time Communications (WebRTC) service enabling text, video, and voice communications between devices and the browser. Cassidy Kim was awarded a $7000 bounty for reporting this one,
CVE-2023-3728 is another WebRTC vulnerability, and Zhenghang Xiao was also awarded a $7000 bounty for reporting it to Google.
CVE-2023-3730 is a vulnerability in the Tab Groups function. A bounty of $2000 was awarded to ‘ginggilBesel’ for reporting it.
CVE-2023-3732 did not earn a bounty, as it was reported by Mark Brand, part of the Project Zero team at Google, which is tasked with hunting down zero-day vulnerabilities. This isn’t a zero-day, but it is a memory access issue with the Chrome inter-process communication system known as Mojo.
Google has yet to release detailed technical information regarding these vulnerabilities so as to ensure as many users as possible can update Chrome before the details are made available.
What Are The Six New Chrome Security Vulnerabilities With Medium Ratings?
The six Chrome security vulnerabilities that have been allocated a medium CVE rating, and the hackers who reported them to Google, also awarded a total of $16,000 in bounties, are:
CVE-2023-3733 is a vulnerability that sits within an inappropriate implementation of the Chrome WebApp install function. Ahmed ElMasry was awarded a $5000 bounty for reporting it to Google.
CVE-2023-3734 is another inappropriate implementation vulnerability, this time within the floating video Picture in Picture functionality. Another bounty of $5000 was awarded for this one, this time to Thomas Orlita.
CVE-2023-3735 is, you’ve guessed it, an inappropriate implementation vulnerability. This time it affects the web application programming interface (API) permission prompts. Ahmed ElMasry also found this one and was awarded a further $2000 bounty.
The remaining three medium-rated vulnerabilities are also of the inappropriate implementation variety.
CVE-2023-3736 impacts the custom tabs function and was reported by Philipp Beer who earned a $2000 bounty.
CVE-2023-3737 impacts the notifications function, reported by Narendra Bhati, who was also awarded a $2000 bounty.
CVE-2023-3738 impacts the autofill function and earned $1000 for Hafiizh.
How To Make Sure Your Chromium-Powered Browser Is Protected
Although you can expect your browser to download any security updates automatically, that alone isn’t enough to ensure you are protected from exploits of the patched vulnerabilities. How so? Because most Chromium-powered browsers will also require you to restart the application in order for the update to be activated. This is not problematical for those users who close their browsers religiously after each browsing session. For power users, and lazy ones, who leave multiple tabs open and rarely restart the application it certainly is. OK, with that in mind, it’s recommended that every Google Chrome user heads for the Help|About option, which will start any available update download automatically. Once this has completed, hit the restart button. The July 18 security update will bring your Chrome browser version to 115.0.5790.98 for Mac and Linux and 115.0.5790.98/99 for Windows. However, there has also been a bug-fixing update on July 20, and this brings Chrome to 115.0.5790.102 across the three operating system platforms.
Other browsers that use the Chromium engine will also be getting updates. These may already have landed or will be forthcoming in the next few days. Check your Brave, Edge, Opera or Vivaldi browsers to ensure the update is installed and activated.
Read the full article here