Google has fixed three more significant bugs in Chrome that can be exploited to breach the sandbox of the web browser and given a total of $50.000 to the researcher.
A Chrome 77 update released by Google in September patched the company’s Man Yue Mo of the Semmle Security Research team’s two sandbox escape vulnerabilities. It should be remembered that GitHub recently acquired Semmle for its platform for software review.
Both defects caused by bugs in the media component are valued at $20,000 each by Google.
Chrome 78, released this week by Google, and a Chrome 77 update released earlier this month fix three more vulnerabilities recently reported by Man Yue Mo. These include a after-free use on the audio (CVE-2019-13695), a media element after-free use (CVE-2019-13699), and a buffer overrun on the Blink app (CVE-2019-13700).
All these security holes are classified as “high-series,” priced by Google at $15,000, $20,000 and $15,000.
Semmle has donated $95,000 to an unnamed organization for the Chrome vulnerabilities— the company donates all the bug bounties. Google doubles the bug bounty amount, according to the rules of its Chrome Vulnerability Reward Program, if the reporter decides to donate it to a registered charity.
Fermín J. Serna, the lead security researcher at GitHub, told that the issues found in Chrome 78 can help an intruder escape the Chrome sandbox once they can execute arbitrary code in a sandbox, similar to the faults previously found.
It is important to note that these vulnerabilities are not very effective for an attacker alone. In conjunction with other security flaws, they can be very useful.
“They require additional vulnerability in the entire chain of’ browse a website and untrusted code from an attacker outside of any sandbox’,” explained Serna.
No technical details on these vulnerabilities have been published, but CVE-2019-13700 was described as an off-by-one error that allows an attacker to write null byte.
Chrome 78 patches a total of 37 vulnerabilities, including 21 problems that outside researchers have reported to Google.