Google and Mozilla released new versions of Chrome and Firefox browsers to addressed several high-severity vulnerabilities.
Mozilla has released Firefox version 75 that includes six security patches for the desktop, and two patches targeting to address vulnerabilities in the Android app.
Mozilla fixed three high-severity vulnerabilities, two of which are memory safety bugs tracked as CVE-2020-6825 and CVE-2020-6826 that could lead to arbitrary code execution.
“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.” Mozilla explains.
The arbitrary code execution for Firefox for Android was tracked as CVE-2020-6828.
The other two high-risk bugs could be respectively exploited to leak sensitive data (CVE-2020-6821) or to trick the mobile browser into displaying the incorrect URI (CVE-2020-6827).
Mozilla fixed a moderate severity rating flaw tracked as CVE-2020-6822 that could lead to code execution as well, along with two other two issues tracked as CVE-2020-6823 and CVE-2020-6824.
Google released Chrome version 81 that includes 32 security flaws, three of which are rated high-risk severity, eight medium-severity issues, and twelve low-risk bugs.
“The Chrome team is delighted to announce the promotion of Chrome 81 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.” reads the post published by Google.
“Chrome 81.0.4044.92 contains a number of fixes and improvements — a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 81.”
The most severe flaw tracked as CVE-2020-6454 is a use-after-free vulnerability in extensions, the remaining two other high-risk issues were a use-after-free in audio tracked as CVE-2020-6423 and an out-of-bounds read in WebSQL tracked as CVE-2020-6455.
Half of the medium-severity vulnerabilities were insufficient policy enforcement bugs, type confusion in V8, insufficient validation of untrusted input in clipboard, use-after-free in devtools, and use-after-free in window management.
Low-severity bugs were insufficient policy enforcements, inappropriate implementations, uninitialized use in WebRTC, and use-after-free in V8.
Google says it paid over $26,000 in bug bounty rewards to the reporting security researchers, but the company has yet to disclose the exact amount it awarded for all of the externally reported vulnerabilities.
(SecurityAffairs – Mozilla Firefox, Google Chrome)