Google has confirmed that a high-severity security vulnerability in the Chrome web browser was found by Apple’s Security Engineering and Architecture team. Moreover, the SEAR team was awarded a bug bounty of $15,000 from Google for the discovery and disclosure. As surprising as it may sound to some readers, Google has paid Apple for effectively hacking Chrome security; and that’s a good thing.
What Is Apple SEAR?
Apple’s SEAR team is tasked with providing the foundation for operating system security across all of the Cupertino-based technology behemoth’s product lines. The security researchers within the SEAR team are best known, of course, for uncovering vulnerabilities within the likes of iOS. If they happen to come across something that relates to a third-party product as part of this ongoing security process, then a responsible disclosure will be made. The news of this particular disclosure came in an August 2 Chrome update announcement confirming 11 security fixes as a result of external contributor vulnerability reports.
Google Pays Apple $15,000 For CVE-2023-4072
CVE-2023-4072 is an “out of bounds read and write” vulnerability within Chrome’s WebGL implementation. WebGL is the JavaScript application programming interface that enables the rendering of interactive graphics within the browser and without any plug-ins being required. An out-of-bounds vulnerability exists where a program can read, and in this case write, data from outside the bounds of an allocated area of memory.
Google isn’t revealing much about this vulnerability, keeping the technical details restricted until such time that a majority of Chrome users have activated the update. According to the threat intelligence platform Vulnerability Database, however, “it is known to affect confidentiality, integrity, and availability.” Furthermore, VulnDB states that user interaction is required for successful exploitation. No known exploits are available at this time either, which is good news.
Bug Bounties Totaling $123,000 Paid By Google
In all, Google awarded bounties totaling $123,000 for vulnerabilities confirmed in the latest update, which takes Chrome to versions 115.0.5790.170 for Mac and Linux, and 115.0.5790.170/.171 for Windows.
The biggest bounty went to ‘Jerry’ for CVE-2023-4068, a type confusion vulnerability in the Chrome V8 JavaScript engine, and came to $23,000. Jerry picked up a further $20,000 bounty for CVE-2023-4070, another V8 type confusion vulnerability.
Man Yue Mo from the GitHub Security Lab was awarded $21,000 for, you guessed it, another type confusion vulnerability in Chrome’s V8 engine, designated as CVE-2023-4069.
A $17,000 reward went to Guang and Weipeng Jiang of VRI for CVE-2023-5071, a vulnerability in the Visuals function.
Jaehun Jeong of Theori was awarded $10,000 for reporting a vulnerability, CVE-2023-4073, in the Almost Native Graphics Layer Engine developed by Google.
An $8,000 bounty was paid for CVE-2023-4074, a vulnerability disclosed by an anonymous researcher that impacts Chrome’s Blink Task Scheduling.
Cassidy Kim reported CVE-2023-4075, a use-after-free vulnerability in Cast and earned $5,000.
Anonymous researchers were awarded $3,000 and $1,000, respectively, for CVE-2023-4077 and CVE-2023-4078, vulnerabilities impacting the Chrome Extensions function.
Updates for the Chrome browser are downloaded automatically, and Google has already started rolling the newest security fixes out. My advice is always to ensure you are up to date by heading to the Help|About option from the Chrome menu, which will kickstart a download of the latest update. In order for the update to activate and protect you against exposure to these vulnerabilities, however, you need to restart the browser.