Of the other bugs identified by external researchers, eight are considered high risk, 18 are medium-serious and 9 are considered to be low-risk. The two critical vulnerabilities include CVE-2019-13725, the Bluetooth component of the Tencent Keen Security Lab identified by Gengming Liu and Jianyu Chen and CVE-2019-13726, a heap overflow buffer in Google Project Zero’s password management study. Google announced it paid $20,000 for the afterfree usage vulnerability but it still had to evaluate the heap buffer overflow bug bounty bonus. High-risk vulnerabilities covered in this update include insufficient compliance in WebSockets (CVE-2019-13727), V8-write (CVE-2019-13728 and CVE-2019-13735), WebSockets-write free use (CVE-2019-13729), V8-security style uncertainty (CVE-2019-13730 and CVE-2019-13764), WebAudio usage-after-free (CVE-2019-13732). The medium-severity vulnerabilities include PDFium over-flows, insufficiency in policy enforcement in Autocomplete, Navigating, Omnibox, Cookies, Audio and Developer Tools; Omnibox’s incorrect security UIs, sharing and external protocol handling; insufficient verification of untrusted input to Blink. Low-severity bugs in Chrome 79 include insufficiently implemented regulation in printing, interstitial and omnibox extensions, navigation, downloads, and transactions, as well as inaccurate security user interfaces. Google has also included a warning on reused passwords in its browser: Chrome warns users with passwords as they sign on to websites. The functionality is now built into the software, previously available via an extension. Overall, Google has paid $80,000 for reporting safety scientists in bug awards, but has not yet disclosed the amount paid for 10 of these bugs, including one critical and four major issues. The latest version browser for Windows, Mac and Linux is now available for download as Chrome 79.0.3945.79.
