‘High severity’ browser bug patched by Google

by Gabriel E. Hall - -

Google encourages consumers to get the latest Chrome browser update in order to prevent security problems related to high severity vulnerability.

Google patches bug 

According to Google, the update has already been released for most browsers. The stable channel has been upgraded for the most common operating systems, including Windows, Mac, and Linux.[1]

This vulnerability is connected to the browser’s Chrome V8. According to Google, V8 is Google’s open source JavaScript engine written in C++ and Node.js. Chrome V8 also is able to run standalone or can be inserted into all C++ applications.

However, Google does not disclose any details about the bug.[2]

Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain (disclosure) restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

OWASP Foundation also provides a description of the vulnerability which reveals that bugs like this are widely exploited by cyber criminals and enables them to operate arbitrary code within the contexts of a targeted app. Also, a failed exploitation generates a denial of service condition.

In addition, the analysis provided the information that the flows is in the Internation Components for Unicode C/C++. Risk Based Security reported that:[3]

Ultimately, while it does affected V8 and Chrome, the flawed code is not Google’s. The vulnerability, a NUL-terminated buffer handling buffer overflow, was made public Oct. 11.

The vulnerability was uncovered and reported by a security researcher at Ant-Financial Light-Year Security Lab Yu Zhou.

The researcher also received an award for $3,000 for the discovery via Google’s award program called bug bounty.
In addition, other high severity bugs in Chrome browser’s V8 JavaScript engine were announced by Google in December last year.

The update about the patch was also announced by the United States Computer Emergency Readiness Team which encourages users and administrators to review the Google updates and to release and apply the update.

The update for a mobile version of Chrome for Android was also released. This update solved the issue with a memory leak bug and also a major crash issue.[4]

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using Address Sanitized, Memory Sanitizer, Undefined Behavior Sanitizer, Control Flow Integrity, lib Fuzzer or AFL.

=

About the author

Gabriel E. Hall
Gabriel E. Hall - Antivirus software specialist

Gabriel E. Hall is an antivirus software specialist at Reviewedbypro.com.

Contact Gabriel E. Hall
About the company Esolutions

References



Ask
now online
news
Subscribe
Privacy
Security
Recovery
Like us on Facebook