Google announced the release of Chrome 93 this week, which includes 27 security patches, including 19 for vulnerabilities disclosed by external researchers.
Externally, there were five high-severity security flaws patched with the current Chrome release, all of them were use-after-free flaws impacting various browser components.
CVE-2021-30606, a use-after-free in Blink that was identified by 360 Alpha Lab researchers Nan Wang and koocola in late July, looks to be the most severe of all. The discovery was rewarded with a $20,000 bounty from Google.
Permissions (CVE-2021-30607), Web Share (CVE-2021-30608), and Sign-In (CVE-2021-30609) were all fixed for high-severity use-after-free issues. These vulnerability reports cost Google $10,000, $7,500, and $5,000, respectively.
Extensions API was found to have another high-severity flaw that was fixed with this Chrome release. However, because the flaw was discovered by Vivaldi, a browser developer, Google has not offered a compensation. “Chromium embedders and companies with whom Google has a pre-existing business relationship may not be eligible for rewards.” according to the guidelines of its Chrome vulnerability reward program.
Five of the 12 medium-severity flaws that was fixed with this browser iteration were use-after-free issues, affecting WebRTC (two security holes), Base internals, Media, and WebApp Installs, among others. The first two bugs cost Google $20,000 each, while the third bug cost $15,000.
Heap buffer overflow, cross-origin data leak, policy bypass, inappropriate implementation, UI spoofing (two bugs), and insufficient policy enforcement were among the other medium-severity flaws.
With the newest Chrome release, two low-severity flaws were fixed, both of which were use-after-free issues. Google revealed that it had paid a $10,000 prize for the first, but the amount paid for the second has yet to be determined.
Google disclosed that it had paid out over $130,000 in bounty rewards to the researchers who reported the flaws.
Chrome 93.0.4577.63, the most recent version of Chrome, is now available for Windows, Mac, and Linux users.