Chrome 64.0.3282.119 releases, fix 53 vulnerabilities
On January 24, 2018, Google released Chrome 64.0.3282.119 that contains a number of fixes and improvements.
This update includes 53 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$3000][780450] High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01
[$2000][787103] High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20
[$1000][793620] High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09
[$4000][784183] Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein (www.trapkit.de) on 2017-11-12
[$2500][797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
[$2000][789952] Medium CVE-2018-6036: Integer underflow in WebAssembly. Reported by The UK’s National Cyber Security Centre (NCSC) on 2017-11-30
[$1000][753645] Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on 2017-08-09
[$1000][774174] Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12
[$1000][775527] Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17
[$1000][778658] Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-10-26
[$500][760342] Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29
[$500][773930] Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12
[$500][785809] Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16
[$TBD][797497] Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
[$TBD][798163] Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31
[$TBD][799847] Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08
[$500][763194] Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08
[$500][771848] Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@_aaspring_) on 2017-10-05
[$500][774438] Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-10-13
[$500][774842] Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15
[$N/a][441275] Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11
[$N/A][615608] Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28
[$N/A][758169] Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23
[$N/A][797511] Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24
Source: chromereleases