A Chrome 99 replace launched by Google on Tuesday patches a vital vulnerability found by one of many firm’s personal researchers.

The vital defect tracked as CVE-2022-0971 is described as a post-use free subject affecting the blink structure element. Google Undertaking Zero’s Sergei Glazunov has been credited with reporting the defect.

Google typically does not give Chrome vulnerabilities a “Extreme Severity” ranking. Actually, over the previous 12 months, solely 4 different Chrome updates fastened a vital drawback. Two of the 4 vital vulnerabilities have been found by Glazunov, who additionally recognized a high-severity bug that was patched this week.

The most recent Chrome replace contains 11 safety fixes, together with eight with a “Excessive Severity” ranking. These flaws, which may often permit sandbox escaping or distant code execution, are largely after-use-free points.

Google paid about $40,000 to exterior researchers who reported vulnerabilities with this Chrome replace, however a few of the rewards have but to be decided.

The Web large just lately mentioned it paid out practically $9 million in bug bounties final 12 months, which included about $3.1 million for Chrome vulnerabilities.

Chrome vulnerabilities exploited within the wild have elevated, with 14 zero-days exploited in 2021, excess of some other common internet browser.

Google tried to elucidate the development final week, naming quite a few elements which have clearly contributed. The listing contains the necessity for higher transparency about energetic exploits, the elevated complexity of browsers, the necessity for a sequence of loopholes for a helpful exploit, and attackers more and more concentrating on browsers after the demise of their former favourite goal, Flash.

RELATED: Google Detects Assault Exploiting Chrome Zero-Day Vulnerability

RELATED: Chrome 95 replace patch exploits zero-days, reveals flaws in Tianfu Cup

associated: Chrome 99. Google paid over $100,000 for vulnerabilities patched by

Eduard Kovacs (@EduardKovacs) is a contributing editor to SecurityWeek. He labored as a highschool IT instructor for 2 years earlier than beginning a profession in journalism as a safety information reporter for Softpedia. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in utilized laptop applied sciences in electrical engineering.

Earlier column by Edward Kovacs:

Supply hyperlink