Google Chrome bags a rare critical vulnerability fix

Browser update also patches 11 other flaws

Google today patched 12 vulnerabilities in Chrome, including one of the few labeled "critical" that it has fixed in the five-year history of its browser.

Tuesday's update to the "stable" build channel -- analogous to a production version -- included 12 patches: One critical, 10 pegged as "high" and one as "medium" in Google's four-step threat system.

The critical bug was described by Google as a "memory corruption in SSL socket handling" and credited to Sebastien Marchand of the Chromium development team. Chromium is the open-source project that feeds code into Chrome and Chrome OS; the latter is Google's browser-based operating system that powers its own and hardware partners' Chromebook laptops.

The last time Google identified a Chrome bug as critical was in December 2012, when another Google employee, Michal Zalewski, was given the nod as the flaw's finder.

Only a small fraction of Chrome's vulnerabilities have been characterized as critical. In 2012, for example, Google used the label on just 12 out of nearly 250 reported bugs, or about 5% of the total.

Most of 2012's critical vulnerabilities were credited to Google's own security or software engineers, or to winners of big-money contests sponsored by Google, like the researcher known only as "Pinkie Pie." Over the last 15 months, Pinkie Pie has earned more than $170,000 in bounties and hacking contest awards.

A majority of the 12 flaws patched today were memory corruption-related vulnerabilities, a common category in Chrome, in part because researchers stress test the browser code with a Google-designed "fuzzer" designed to sniff out such bugs.

Nine of the 12 vulnerabilities were reported to Google by six outside researchers who received $10,837 for their work. Two of the six earned more than $3,000 each. So far this year, Google has paid out about $213,000 from its Chrome bug bounty program or as contest prizes.

New users can download the patched edition of Chrome 27 from Google's website, while current users can let the automatic updater retrieve and install the fixes.

This article, Google Chrome bags a rare critical vulnerability fix, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

The brave new world of Windows 10 license activation
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies