Second of July Google Chrome Security Update Lands on Windows, Mac, Linux


Google has just confirmed the second package of security updates for the Chrome browser in July. Version 103.0.5060.134 for all Windows, Mac and Linux users will be available in the coming days. Although this update is being rolled out automatically, users who do not regularly revert to their browsers are advised to manually check and force activate the security patch.

In total, this update to Chrome 103.0.5060.134 resolves 11 security issues. Five of them were discovered through internal security audits and “fuzzing,” an automatic process that looks for exceptions when providing unexpected or random input. The other six issues are vulnerabilities discovered by security researchers. Unlike Chrome’s first update this month, none are zero-day attackers known to be exploiters already in the wild. It also appears that there are no security fixes in the Android Chrome update announced at the same time.

Five of the six vulnerabilities are rated as high impact, with the sixth being a low impact issue. A total of $33,500 in bug bounties were awarded to researchers who exposed the vulnerabilities. Some $23,000 of that went to just two researchers, one of whom, surprisingly, was for this low-impact vulnerability.

MORE FORBESNew 0Day Hacking Attack Alert Issued for All Windows Users

As usual, there is little detailed information currently available. Google reasonably withholds this until a majority of the user base has had a chance to update. Here’s what we know:

  • $16,000 was awarded to an anonymous researcher for high-level use after the free CVE-2022-2477 vulnerability in guest view.
  • $7500]was named to ‘triplepwns’ for high quality use after the free CVE-2022-2478 vulnerability in PDF.
  • $3,000 has been awarded to an anonymous researcher for a high-level vulnerability CVE-2022-2479 involving insufficient validation of untrusted input in files
  • Two other highly rated vulnerabilities, CVE-2022-2480 and CVE-2022-2481, by Sergei Glazunov (Google Project Zero team member) and YoungJoo Lee respectively, have yet to receive a bounty. The first is after-free use in the Service Worker API and the second is after-free use in views.
  • $7,000 was awarded to Chaoyuan Peng for low-rated use after gratuitous CVE-2022-2163 vulnerability in UI and toolbar cast.

MORE FORBESInside the Russian cybergang suspected of attacking Ukraine – The Trickbot leaks

Leave a Comment