CYBER NEWS

Google Fixes CVE-2017-5070, Multiple Security Flaws in Chrome 59

Google just released patches for CVE-2017-5070 and 29 other flaws in Chrome in the latest stable version of the browser, Chrome 59.0.3071.86. Google paid out $23,500 to external researchers for their findings.

Besides the Chrome flaws, a type confusion vulnerability in V8 (open source JavaScript engine for Chrome) was also fixed, and the researcher who found it got $7,500.

Chrome 59.0.3071.86: CVE-2017-5070 and Other Fixed Vulnerabilities

Google has fixed three address spoofing flaws in the latest version of its browser, and several more since last September. Attackers have used these flaws to trick users into visiting suspicious websites, even ones packed with malware.

Related Story: Spoofing Flaw Found in Chrome and Firefox Address Bar

Google was quite thorough in releasing the details surrounding the vulnerabilities which were grouped in high, medium, and low-severity groups:

  • [$7500] [722756] High CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16
  • [$3000] [715582] High CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26
  • [$3000] [709417] High CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07
  • [$2000] [716474] High CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28
  • [$1000] [700040] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09
  • [$2000] [678776] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05
  • [$1000] [722639] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16
  • [$1000] [719199] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06
  • [$1000] [716311] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28
  • [$1000] [711020] Medium CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12
  • [$500] [713686] Medium CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20
  • [$500] [708819] Medium CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05
  • [$N/A] [672008] Medium CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07
  • [$N/A] [721579] Low CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11
  • [$N/A] [714849] Low CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24
  • [$N/A] [692378] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15
  • Google to Introduce Native Ad-Blocker to Chrome in 2018

    The update doesn’t include a fix for a hack that enables attackers to automatically download malicious files to a victim’s computer with the purpose to steal credentials and launch SMB relay attacks. This flaw stems from the way Chrome and Windows itself handle .SCF files. Google is supposedly preparing a fix for the issue.

    Related Story: Which Is the Most Secure Browser for 2017?

    As for the near future, Google is currently working on a new ad-blocker for Chrome that should be introduced next year. According to the Wall Street Journal, the new feature will be turned on by default and will block ads from showing up on websites providing bad advertising experience for users.

    Milena Dimitrova

    Milena Dimitrova

    An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

    More Posts

    Follow Me:
    Twitter

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Time limit is exhausted. Please reload CAPTCHA.

    Share on Facebook Share
    Loading...
    Share on Twitter Tweet
    Loading...
    Share on Google Plus Share
    Loading...
    Share on Linkedin Share
    Loading...
    Share on Digg Share
    Share on Reddit Share
    Loading...
    Share on Stumbleupon Share
    Loading...