Earlier this week, Google released a patch in the form of a more stable version of Chrome 107, where it fixed 14 vulnerabilities reported by external researchers.
As the developers now write, following this, an emergency patch was released for Chrome 107, closing the zero-day vulnerability that hackers are already exploiting.Let me remind you that we also wrote that Vulnerability in Screencastify for Chrome Allows Spying on Users through Cameras.
In total, at the start of Chrome 107, ten bugs were fixed, which the company was informed about by third-party information security experts. To exploit these bugs, a remote attacker needs to trick the user into opening a specially crafted page in a vulnerable browser. Successful exploitation of bugs allows arbitrary code to be executed or a denial of service (DoS) condition to occur on the affected system.
Judging by the vulnerability bounties, the most serious bug fixed in the Chrome 107 release was CVE-2022-3652, which is described as a type confusion in the V8 engine. Google says it paid the researcher who submitted the report $20,000.
The next issue was CVE-2022-3653, which is a heap buffer overflow in the Vulkan hardware acceleration engine. Google paid a $17,000 reward for this bug.
The third most “valuable” vulnerability in this release was CVE-2022-3654, a use-after-free bug in Layout. Google writes that the amount of reward for this bug has not yet been determined.
The company also paid a total of $17,000 for six medium-severity vulnerabilities, and as a result, third-party security experts received a total of $54,000 from the company.
However, fixing vulnerabilities did not end there. Today, Google developers announced the release of an emergency patch for Chrome 107. The “patch” eliminates the 0-day vulnerability CVE-2022-3723 in the browser, which is described as a type confusion bug associated with the V8 JavaScript engine.
Google says that the problem was discovered by Avast analysts on October 25, 2022, and experts are already aware of the existence of a working exploit for it.
So far, the details of this problem are not disclosed, and Google traditionally writes that “access to error information and links may be limited until most users receive a fix.” However, this is known to be the seventh patch for the Chrome zero-day vulnerability released by Google this year, and the second 0-day bug reported by Avast researchers.
