Security update for Chrome 120

Google recently released the update for Chrome in stable version 120, which includes fixes for 10 vulnerabilities. Among these, reported by external researchers, we find five security flaws for which Google has recognized rewards for a total of 15,000 dollars, as indicated in Google's official notice.

Details on fixed vulnerabilities

The most critical issues among those resolved are represented by CVE-2023-6508, recognized as having a high degree of danger linked to a memory usage problem after its release (use-after-free) in the Media Stream component, which was valued at $10,000. In the following place there is the CVE-2023-6509 vulnerability of the same severity category, which instead affects the Side Panel Search component of the browser.

The implications of memory leaks

Use-after-free flaws, which occur due to a failure to "clean up" pointers from freed memory, can lead to arbitrary code execution, data corruption, or denial of service. Furthermore, when combined with other vulnerabilities, they can be exploited to completely compromise a system. In the case of Chrome, these vulnerabilities could allow the sandboxing mechanism to be circumvented, but this would require additional security flaws at the underlying operating system level or in highly privileged processes.

Google releases and active prevention

The current iteration of Chrome ships in version 120.0.6099.62 for macOS and Linux and in version 120.0.6099.62/.63 for Windows. Google also updated the Chrome Extended Stable channel to version 120.0.6099.62 for macOS and 120.0.6099.63 for Windows. The company has not identified any active attacks exploiting the fixed vulnerabilities. It should be noted that a security update for Chrome was issued last week to address CVE-2023-6345, marking the seventh zero-day flaw identified in the browser in 2023.