Google Pays $55,000 Bounty for Chrome Security Flaw

CVE-2024-9602 & CVE-2024-9603

Google has released a Stable Channel update for Chrome on Windows, Mac, and Linux, bringing the browser to version 129.0.6668.100/.101. The update is expected to roll out over the next few days and includes three important security fixes, two of which address critical vulnerabilities discovered by external researchers.

The highlight of this update is the patching of two Type Confusion vulnerabilities in Chrome’s V8 engine, a critical component responsible for JavaScript execution. These vulnerabilities, marked as high severity, have the potential to allow attackers to execute arbitrary code, which could result in severe security breaches if left unpatched.

  • CVE-2024-9602: This vulnerability was reported by security researcher Seunghyun Lee (@0x10n) on September 20, 2024. Google rewarded Lee with a bounty of $55,000 for his contribution to strengthening Chrome’s security.
  • CVE-2024-9603: This vulnerability was reported discovered by @WeShotTheMoon and Nguyen Hoang Thach of StarLabs. The bounty for this discovery is still to be determined.

Type Confusion vulnerabilities in Chrome’s V8 engine can be particularly dangerous because they occur when the engine incorrectly handles object types, leading to memory corruption. This can enable attackers to execute arbitrary code or crash the browser, which may be leveraged in more complex attacks.

Users are encouraged to ensure their browsers are up to date to receive the latest security patches, particularly those that address high-severity issues such as these. Google’s automatic update feature will roll out version 129.0.6668.100/.101 in the coming days, but users can manually trigger the update by navigating to Chrome’s settings and checking for updates.

Related Posts: