Google Chrome crea parches para 30 vulnerabilidades a los que se puede acceder a través del Stable Channel Update para Windows, Mac y Linux.
Entre las vulnerabilidades existen cinco calificadas como «high rate flaws». La compañía agradece en su comunicado el trabajo de investigadores externos que detectaron y comunicaron a la empresa varias de las vulnerabilidades mencionadas:
- [$7500][722756] High CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16
- [$3000][715582] High CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26
- [$3000][709417] High CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07
- [$2000][716474] High CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28
- [$1000][700040] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09
- [$2000][678776] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05
- [$1000][722639] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16
- [$1000][719199] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06
- [$1000][716311] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28
- [$1000][711020] Medium CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12
- [$500][713686] Medium CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20
- [$500][708819] Medium CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05
- [$N/A][672008] Medium CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07
- [$N/A][721579] Low CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11
- [$N/A][714849] Low CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24
- [$N/A][692378] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15
La empresa aconseja a los usuarios y administradores que actualicen los sistemas afectados tan pronto como sea posible y recuerda que muchas de sus vulnerabilidades pueden ser detectadas por los usuarios empleando AddressSanitizer, MemorySanitizer, Control Flow Integrity, o libFuzzer.
