Recently, Google released a new version of Chrome, ‘85.0.4183.121’ for Windows, Mac, and Linux, in which Google fixed nearly 10 security bugs. The version of Google Chrome that is installed on the remote macOS host is prior to 85.04.4183.12, for which it’s affected by several security flaws.
The successful exploitation of these security flaws could enable the threat actors to perform the arbitrary code in the context of the browser.
According to Google’s Tuesday security bulletin, “In case if the application has been configured to have some user claims on the system, exploitation of the several critical of these vulnerabilities could have limited influence than if it was configured with organizational rights.”
As we said above that this new version of Chrome had fixed almost 10 bugs, and here we have listed the bug fixes that are contributed by external researchers:-
- CVE-2020-15960 (High): Out of bounds read in storage. Summarized by anonymous on 2020-06-28.
- CVE-2020-15961 (High): Inadequate policy implementation in extensions. Reported by David Erceg on 2020-08-10.
- CVE-2020-15962 (High): Insufficient policy implementation in serial. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-08-26
- CVE-2020-15963 (High): Inadequate policy enforcement in extensions. Reported by David Erceg on 2020-08-06.
- CVE-2020-15965 (High): Out of bounds write in V8. Published by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-09-08.
- CVE-2020-15966 (Medium): Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-06.
- CVE-2020-15964 (Low): Insufficient data validation in media. Summarized by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-08-25.
Bug Bounty Rewards
- For CVE-2020-15960 – $15000
- For CVE-2020-15961 – $15000
- For CVE-2020-15962 – $10000
- For CVE-2020-15963 – $5000
In one of their report, Google has mentioned that currently, they have no reports of these vulnerabilities being exploited in the wild. That’s why the company requested Chrome users to administer for stable channel updates to vulnerable systems as soon as possible.
Moreover, they also suggested the users “not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.”However, Google fixed many critical vulnerabilities last month, and in August, Google also fixed a high-severity Chrome vulnerability that could be utilized to accomplish the arbitrary code operation.