Chrome 62 Update Patches Serious Vulnerabilities

The second update released by Google for the Windows, Mac and Linux versions of Chrome 62 patches a couple of vulnerabilities rated critical and high severity.
The critical flaw, tracked as CVE-2017-15398, has been described as a stack-based buffer overflow affecting QUIC, a transport network protocol that reduces latency compared to TCP.

The security hole was reported to Google by Ned Williamson on October 24. The tech giant has yet to determine how much it will pay the researcher for reporting the vulnerability, but it could earn him over $10,000.
Earlier this year, Williamson received more than $20,000 from Google for two high severity Chrome flaws related to the IndexedDB noSQL storage system.
The second vulnerability patched with the latest Chrome 62 update is a high severity use-after-free bug affecting the V8 JavaScript engine. This flaw, tracked as CVE-2017-15399, earned Zhao Qixun of the Chinese security firm Qihoo 360 a bounty of $7,500.
Qixun, known online as S0rryMybad, previously reported a type confusion in V8 that earned him the same amount of money. The researcher pointed out on Monday that Google made the details of that flaw public.
The details of the latest vulnerabilities will only be disclosed several weeks from now, after users have had a chance to update their installations. An alert published on Monday by US-CERT warned that an attacker could exploit the flaws to take control of an affected system.
Released in mid-October, the first stable version of Chrome 62 included patches for no less than 35 vulnerabilities, 20 of which were reported by external researchers, including eight high, seven medium, and five low severity flaws. At the time, Google announced paying over $40,000 in bug bounties to the reporting researchers.
The first Chrome 62 update, released on October 26, resolved a high severity stack-based buffer overflow vulnerability in V8. The security hole earned Yuan Deng of Ant-financial Light-Year Security Lab $3,000.
Related: Google Patches High Risk Flaws in Chrome
Related: Microsoft Discloses Code Execution Flaw in Chrome
公司应该按照国家和监管部门信息系统安全规范、技术标准及等级保护管理要求,明确信息系统安全保护等级,实施信息系统安全等级保护,按等级安全要求进行备案并定期测评和整改。
…一法一决定执法检查 维护国家网络空间安全和公民信息安全
Related: Google to Remove Support for PKP in Chrome
公司应该诚实守法经营,也应该教育和培训员工遵守法律及商业操作规则,不要以为员工犯了法就和公司无关。

猜您喜欢

一个信息安全动画小故事,随意丢弃损毁的U盘,被保洁员拾走,泄了密……
海外投资,沟通中国与当地文化的桥梁与方法:
网络安全法宣传视频系列001《网络安全法》背景知识
从420亿家财到只能刷2000元 贾跃亭妻子是怎么过的?
ABADOO GUITARBITZ
CyberSecurity网络安全宣传——勿忘在外时的资产保护