Google patches 7 bugs in Chrome browser
Updates Chrome for the second time this month, pays $6,000 in bounties
Computerworld - Google patched seven vulnerabilities in Chrome on Tuesday as it issued the second security update for its browser this month.
Before Tuesday, Google last patched Chrome three weeks ago on June 8, when it quashed 15 bugs.
Three of the seven vulnerabilities were identified as "use-after-free" bugs, a type of memory management flaw that can be exploited to inject attack code.
As per its practice, Google locked the Chrome bug-tracking database to prevent outsiders from reading the engineers' discussions on the patched vulnerabilities. The company bars the public from the database to give users time to update, sometimes waiting months before removing the blocks.
For instance, descriptions of only two of the 15 bugs Google patched earlier this month can be accessed by the public.
Google paid out $6,000 in bounties to three researchers for reporting the seven vulnerabilities, awarding $4,500 of that to a researcher identified only as "miaubiz," who uncovered five of the seven bugs.
Frequent bug contributor Sergey Glazunov, who receives bounty money from most Chrome security updates, was not listed in yesterday's tally. Glazunov is the only researcher who had received Google's top bounty of $3,133, which he's done twice.
Only Google and Mozilla pay bounties to independent security researchers who report browser bugs. Both companies have argued that bounties, although nowhere near the money that a criminally-inclined researcher could receive on the black market, improve the security of their applications.
"If you launch a vulnerability reward program, you will receive more vulnerability reports from a wider range of researchers," said Chris Evans, a Google security engineer, in a post to his personal blog last month. "The power of credit and prestige is often cited as an argument to not launch a reward program, but the fact remains that you will get more reports if you have a program in place. And as long as you have a culture of fixing security bugs promptly, your users will be safer thanks to having a reward program."
So far this year, Google has paid out over $94,000 in bug bounties.
Chrome's "stable" channel -- the build that's akin to what other developers call their "released" line -- was updated to version 12 earlier this month, so Tuesday's update did not come with any new features. But with the beta build now at 13, it's likely that the stable edition will reach the same in mid-to-late July.
Google has Chrome on a rapid-release schedule that ups the version count every six-to-eight weeks. Mozilla now apes that faster pace for its Firefox, which is on a six-week cycle.
According to Web metrics firm Net Applications, Chrome accounted for 12.5% of all browsers used worldwide last month.
Existing copies of Chrome will be updated automatically to the patched edition by Google's silent, in-the-background update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Desktop Apps White Papers | Webcasts