Google Patches High Risk Flaw in Chrome 63

Monday, December 18, 2017

Ionut Arghire


Google has released Chrome 63.0.3239.108 to the stable channel to address two security vulnerabilities in the browser.

One of the bugs, tracked as CVE-2017-15429, was a Universal Cross-site Scripting (UXSS) issue in V8, the open-source JavaScript engine in Google Chrome and Chromium browsers.

The vulnerability can be exploited by a remote unauthenticated malicious actor to perform a UXSS attack. No further details on the vulnerability are publicly available at the moment.

The vulnerability was reported to Google on November 24 by an external researcher who chose to remain anonymous. Google paid a $7,500 reward to for the bug report.

The second vulnerability Google addressed with the new browser release was reported by the company’s internal team. The Internet giant has yet to publish any information on the flaw.

Chrome 63.0.3239.108 is now available for download for all Windows, Mac, and Linux users.

This is the second Chrome 63 release Google made available this month. The first arrived on December 6 as Chrome 63.0.3239.84, with patches for a total of 37 security fixes, including a Critical Out of bounds write vulnerability in QUIC.

19 of those security flaws were reported by external researchers and Google revealed it paid over $46,000 in bug bounties to the reporting researchers. The highest payout was of $10,500.

In addition to resolving numerous vulnerabilities, Chrome 63 brought a series of security improvements for enterprise users, such as Site Isolation and the ability to restrict access to extensions based on the permissions required. The browser also brought Transport Layer Security (TLS) 1.3 for Gmail.

In an attempt to improve stability and security, Chrome will prevent applications from injecting code into its processes on Windows, starting next year.

Related: Chrome Improves Security for Enterprise Use

Related: Chrome to Block Apps from Injecting into Its Processes

Related: Chrome 62 Update Patches Serious Vulnerabilities

Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.