Google just released patches for CVE-2017-5070 and 29 other flaws in Chrome in the latest stable version of the browser, Chrome 59.0.3071.86. Google paid out $23,500 to external researchers for their findings.
Besides the Chrome flaws, a type confusion vulnerability in V8 (open-source JavaScript engine for Chrome) was also fixed, and the researcher who found it got $7,500.
Chrome 59.0.3071.86: CVE-2017-5070 and Other Fixed Vulnerabilities
Google has fixed three address spoofing flaws in the latest version of its browser and several more since last September. Attackers have used these flaws to trick users into visiting suspicious websites, even ones packed with malware.
Google was quite thorough in releasing the details surrounding the vulnerabilities which were grouped in high, medium, and low-severity groups:
[$7500] [722756] High CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16 [$3000] [715582] High CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26 [$3000] [709417] High CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07 [$2000] [716474] High CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28 [$1000] [700040] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09 [$2000] [678776] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05 [$1000] [722639] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16 [$1000] [719199] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06 [$1000] [716311] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28 [$1000] [711020] Medium CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12 [$500] [713686] Medium CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20 [$500] [708819] Medium CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05 [$N/A] [672008] Medium CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07 [$N/A] [721579] Low CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11 [$N/A] [714849] Low CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24 [$N/A] [692378] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15
Google to Introduce Native Ad-Blocker to Chrome in 2018
The update doesn’t include a fix for a hack that enables attackers to automatically download malicious files to a victim’s computer with the purpose to steal credentials and launch SMB relay attacks. This flaw stems from the way Chrome and Windows itself handle .SCF files. Google is supposedly preparing a fix for the issue.
As for the near future, Google is currently working on a new ad-blocker for Chrome that should be introduced next year. According to the Wall Street Journal, the new feature will be turned on by default and will block ads from showing up on websites providing a bad advertising experience for users.