Google and Mozilla on Tuesday announced security updates that address more than 35 vulnerabilities in their browsers, including a dozen high-severity flaws.
Chrome 124 was released in the stable channel with patches for 22 bugs, 13 of which were reported by external researchers.
Of the externally reported flaws, three are high-severity issues. Based on the bug bounty reward handed out, the most severe of these is CVE-2024-3832, described as an object corruption defect in the V8 JavaScript engine.
Google credited Man Yue Mo of GitHub Security Lab for reporting the vulnerability and says it paid out a $20,000 reward for it.
The researcher also reported CVE-2024-3833, a high-severity object corruption issue in WebAssembly, for which Google handed out a $10,000 reward.
The third high-severity flaw reported by an external researcher is CVE-2024-3834, a use-after-free defect in Downloads. Google says it handed out a $3,000 bug bounty reward for this report.
This Chrome update also resolves six medium-severity and four low-severity issues reported by outside researchers.
The internet giant says it paid out a total of $65,000 in bug bounty rewards for these flaws. However, the final amount might be higher, as Google has yet to determine the amount to be handed out for two of the bugs.
The latest Chrome iteration is now rolling out as version 124.0.6367.60/.61 for Windows and macOS and as version 124.0.6367.60 for Linux.
Firefox 125 was released with patches for 15 vulnerabilities, including nine high-severity bugs, some of which could allow attackers to execute arbitrary code.
Five of the high-severity issues impact the JIT component, which, under certain conditions, could return the wrong object, generate code with out-of-bounds-reads, create incorrect code for arguments, or crash while tracing a mutated JavaScript object.
Two of the remaining high-severity bugs are related to garbage collection, while the other two are memory safety bugs that, with enough effort from attackers, “could have been exploited to run arbitrary code”.
The Firefox update also resolves five medium-severity security defects and a low-severity one. The former, tracked as CVE-2024-3302, could lead to denial-of-service (DoS) using HTTP/2 CONTINUATION frames, using a new attack method called HTTP/2 Continuation Flood.
On Tuesday, Mozilla also announced the release of Firefox ESR 115.10, which resolves nine of the vulnerabilities addressed in Firefox 125.
Related: Google Pays Out $41,000 for Three Serious Chrome Vulnerabilities
Related: Chrome 123, Firefox 124 Patch Serious Vulnerabilities
Related: Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities
