Google has released a new update for its Chrome browser, version 149, which addresses 28 security vulnerabilities, including several critical and high-severity issues. This update is a significant step in enhancing browser security, as the company continues to tackle longstanding challenges.
Critical Vulnerabilities Addressed
The Chrome 149 update resolves five vulnerabilities classified as critical. These include use-after-free flaws in Core, DigitalCredentials, and WebMIDI, a failure to properly validate untrusted input in the Accessibility feature, and a heap buffer overflow in the GPU component. Addressing these issues is crucial as they could potentially be exploited for severe attacks.
Use-after-free vulnerabilities, in particular, pose significant risks. They are a type of memory safety bug that can lead to remote code execution (RCE), data corruption, or denial-of-service attacks. Google’s ongoing efforts to mitigate these issues include implementing MiraclePtr in 2022 and transitioning Chrome’s codebases to Rust, aiming to eliminate such security defects entirely.
High-Severity Security Flaws
The update also tackles 23 high-severity vulnerabilities. These include nine use-after-free incidents, four cases of insufficient input validation, three inappropriate implementations, two instances of insufficient policy enforcement, and both out-of-bounds read and write errors, among others. Each of these flaws can have serious implications if not addressed promptly.
Many of these vulnerabilities could potentially allow attackers to escape the browser’s sandbox, especially when combined with other security weaknesses in the operating system or privileged areas of the browser. Google’s proactive approach in patching these flaws highlights the importance of maintaining robust security measures.
Ongoing Security Enhancements
Google has been actively combating use-after-free vulnerabilities in Chrome for several years. The introduction of MiraclePtr and the shift towards Rust as a programming language for Chrome’s codebases are part of ongoing efforts to improve security. These measures have become increasingly important as the number of identified vulnerabilities in Chrome has surged, a trend possibly driven by the integration of artificial intelligence technologies.
In 2023 alone, over 700 bugs have been patched in Chrome, with a number of them being zero-day vulnerabilities. The latest update, version 149.0.7827.114/.115 for Windows and macOS and 149.0.7827.114 for Linux, continues this trend, with the majority of the reported issues being identified by Google’s internal team.
Google has not reported any of the vulnerabilities from this update being exploited in active attacks. The swift rollout of these patches reflects the company’s commitment to ensuring user safety and maintaining the integrity of its browser ecosystem.
