Pierluigi Paganini May 12, 2018

Google released an updated version of Chrome 66 that addresses a Critical security vulnerability that could be exploited by an attacker to take over a system.

Google released an updated version of Chrome 66 (version 66.0.3359.170) for Windows, Mac, and Linux systems that addressed 4 security vulnerabilities.

“This update includes 4 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.” reads the post published by Google.

• [835887] Critical: Chain leading to sandbox escape. Reported by Anonymous on 2018-04-23:
• [836858] High CVE-2018-6121: Privilege Escalation in extensions.
• [836141] High CVE-2018-6122: Type confusion in V8.
• [$5000][833721] High CVE-2018-6120: Heap buffer overflow in PDFium. Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2018-04-17″

Three of the vulnerabilities were reported by external researchers, the most severe issues are a privilege escalation in extensions tracked as CVE-2018-6121 and a type confusion in V8 tracked as CVE-2018-6122.

An anonymous researcher reported that chaining the two flaws could result in the sandbox escape and could allow a remote attacker to take control of target systems.

Chrome addressed the CVE-2018-6120 heap buffer overflow in PDFium reported by Zhou Aiting of Qihoo 360 Vulcan Team that received a $5,000 reward.

In April, Google issued security patches to address another Critical flaw in Chrome, the flaw was fixed in with the 66.0.3359.137 version.

Pierluigi Paganini

(Security Affairs – Chrome 66, Google)

[adrotate banner=”5″]

[adrotate banner=”13″]