Malicious Google Chrome extension collected users' data for third parties
Malicious Google Chrome extension collected users' data for third parties

Google's latest stable channel update for the Windows, Mac and Linux versions of Chrome fixes four vulnerabilities, including a critical bug that can lead to a sandbox escape.

The sandbox escape bug was reported last Apr. 23 by an anonymous researchers. In a May 10 company blog post, Google does not list an official CVE identifier. The remaining three bugs, all deemed of high importance, consist of a privilege escalation in extensions (CVE-2018-6121), a type confusion in V8 (CVE-2018-6122) and a heap buffer overflow in PDFium (CVE-2018-6120). Researcher Zhou Aiting of the Qihoo 360 Vulcan Team will earn a $5,000 bug bounty reward for discovering the heap buffer overflow flaw.

Chrome version 66.0.3359.170 for the three desktop operating systems will roll out in the coming days and weeks.

Also on May 10, Google announced that an update of Chrome for Android is now in Google Play. Two days earlier, Google also reported a stable channel update for Chrome operating system devices.