Google has released an emergency update for Chrome

Google has released an emergency update for Chrome that addresses four vulnerabilities. One of them is rated as critical, the rest as having high degree of danger.

According to the announcement, all vulnerabilities relate to the use-after-free class – the ability to use freed memory. The most serious of these, CVE-2019-13685, has been identified in the user interface; it allows bypassing browser protection and executing third-party code on the system.

Read also: NETGEAR fixes DoS vulnerabilities in its N300 routers

Vulnerability CVE-2019-13686 is present in the code that provides offline browsing. Two more bugs, CVE-2019-13687 and CVE-2019-13688, appeared in the module responsible for playing multimedia content.

The researcher who discovered them received a reward from Google.

“Google has paid out a total of $40,000 in rewards to Man Yue Mo of Semmle for both the vulnerabilities—$20,000 for CVE-2019-13687 and $20,000 for CVE-2019-13688 — while the bug bounties for the remaining two vulnerabilities are yet to be decided”, — report in the company.

The developer has not yet disclosed the details of new problems so that users can install patches before this information is released and attackers take it into service. In cases where the bug is contained in a third-party library that is used in other, not yet patched projects, Google will extend the restriction on publishing.

The last time Google patched its browser a week ago – when it released Chrome 77. That release contained many changes and closed 52 vulnerabilities, including eight very dangerous and one critical.

Recommendations:

Although Chrome automatically notifies the user of the availability of new versions, experts advise starting the update process manually – with a subsequent reboot. To mitigate the effects of attacks through zero-day vulnerabilities, users are also encouraged to run all programs on the system with minimal privileges whenever possible.