Google patches 7 bugs in Chrome browser
Updates Chrome for the second time this month, pays $6,000 in bounties
Computerworld - Google patched seven vulnerabilities in Chrome on Tuesday as it issued the second security update for its browser this month.
Before Tuesday, Google last patched Chrome three weeks ago on June 8, when it quashed 15 bugs.
Three of the seven vulnerabilities were identified as "use-after-free" bugs, a type of memory management flaw that can be exploited to inject attack code.
As per its practice, Google locked the Chrome bug-tracking database to prevent outsiders from reading the engineers' discussions on the patched vulnerabilities. The company bars the public from the database to give users time to update, sometimes waiting months before removing the blocks.
For instance, descriptions of only two of the 15 bugs Google patched earlier this month can be accessed by the public.
Google paid out $6,000 in bounties to three researchers for reporting the seven vulnerabilities, awarding $4,500 of that to a researcher identified only as "miaubiz," who uncovered five of the seven bugs.
Frequent bug contributor Sergey Glazunov, who receives bounty money from most Chrome security updates, was not listed in yesterday's tally. Glazunov is the only researcher who had received Google's top bounty of $3,133, which he's done twice.
Only Google and Mozilla pay bounties to independent security researchers who report browser bugs. Both companies have argued that bounties, although nowhere near the money that a criminally-inclined researcher could receive on the black market, improve the security of their applications.
"If you launch a vulnerability reward program, you will receive more vulnerability reports from a wider range of researchers," said Chris Evans, a Google security engineer, in a post to his personal blog last month. "The power of credit and prestige is often cited as an argument to not launch a reward program, but the fact remains that you will get more reports if you have a program in place. And as long as you have a culture of fixing security bugs promptly, your users will be safer thanks to having a reward program."
So far this year, Google has paid out over $94,000 in bug bounties.
Chrome's "stable" channel -- the build that's akin to what other developers call their "released" line -- was updated to version 12 earlier this month, so Tuesday's update did not come with any new features. But with the beta build now at 13, it's likely that the stable edition will reach the same in mid-to-late July.
Google has Chrome on a rapid-release schedule that ups the version count every six-to-eight weeks. Mozilla now apes that faster pace for its Firefox, which is on a six-week cycle.
According to Web metrics firm Net Applications, Chrome accounted for 12.5% of all browsers used worldwide last month.
Existing copies of Chrome will be updated automatically to the patched edition by Google's silent, in-the-background update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Mozilla ships Firefox 31, adds search to new tab page
- Microsoft's IE steps back from the brink of irrelevance
- Firefox falters, falls to record low in overall browser share
- Firefox risks user backlash by adding search box to new tab page
- Google unseats Microsoft as the U.S. browser powerhouse
- Safari, Chrome push to mask URLs
- Chrome on Windows champs at the 64-bit
- Google pulls trigger, cripples some Chrome add-ons
- Microsoft shoots to shorten Internet Explorer's long tail
- Firefox risks irrelevance as mobile browsing booms
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- HTTP Status Code Cheat Sheet Look at the Graph, Find the Code and Boom - You're Solving Problems. Identifying and understanding common HTTP status codes can go a...
- Architects lead the next generation of data-driven applications Read this whitepaper to find out how application architects can quickly and confidently deliver long-lasting applications that minimize cost, complexity, and risk while...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Desktop Apps White Papers | Webcasts