Google announced the release of Chrome 93 this week, which includes 27 security patches, including 19 for vulnerabilities disclosed by outside researchers.
Externally, there were five high-severity security problems patched with the current Chrome release, all of them were use-after-free flaws impacting various browser components.
CVE-2021-30606, a use-after-free in Blink that was identified by 360 Alpha Lab researchers Nan Wang and koocola in late July, looks to be the most serious of all. The discovery was rewarded with a $20,000 bounty from Google.
Permissions (CVE-2021-30607), Web Share (CVE-2021-30608), and Sign-In were all fixed for high-severity use-after-free problems (CVE-2021-30609). These vulnerability reports cost Google $10,000, $7,500, and $5,000, respectively.
Extensions API was determined to have another high-severity flaw that was fixed with this Chrome release. However, because the flaw was discovered by Vivaldi, a browser developer, Google has not offered a compensation. “Chromium embedders and firms with which Google has a pre-existing business relationship may not be eligible for rewards,” according to the guidelines of its Chrome vulnerability reward programme.
Five of the 12 medium-severity problems fixed with this browser iteration were use-after-free issues, affecting WebRTC (two security holes), Base internals, Media, and WebApp Installs, among others. The first two bugs cost Google $20,000 each, while the third bug cost $15,000.
Heap buffer overflow, cross-origin data leak, policy bypass, unsuitable implementation, UI spoofing (two bugs), and insufficient policy enforcement were among the other medium-severity flaws.
With the newest Chrome release, two low-severity defects were fixed, both of which were use-after-free issues. Google claims to have given a $10,000 prize for the first, but the amount paid for the second has yet to be determined.
Google claims to have paid out over $130,000 in bounty incentives to the researchers who reported the problem.
Chrome 93.0.4577.63, the most recent version of Chrome, is now available for Windows, Mac, and Linux users.