Google patches 7 bugs in Chrome browser

Computerworld - Google patched seven vulnerabilities in Chrome on Tuesday as it issued the second security update for its browser this month.

All but one of the flaws fixed in Chrome 12.0.742.112 were rated "high," the second-most-severe threat in Google's four-step ranking system. Several components received patches, including the browser's "V8" JavaScript engine, and the CSS (cascade style sheet) and HTML parsers.

Before Tuesday, Google last patched Chrome three weeks ago on June 8, when it quashed 15 bugs.

Three of the seven vulnerabilities were identified as "use-after-free" bugs, a type of memory management flaw that can be exploited to inject attack code.

As per its practice, Google locked the Chrome bug-tracking database to prevent outsiders from reading the engineers' discussions on the patched vulnerabilities. The company bars the public from the database to give users time to update, sometimes waiting months before removing the blocks.

For instance, descriptions of only two of the 15 bugs Google patched earlier this month can be accessed by the public.

Google paid out $6,000 in bounties to three researchers for reporting the seven vulnerabilities, awarding $4,500 of that to a researcher identified only as "miaubiz," who uncovered five of the seven bugs.

Frequent bug contributor Sergey Glazunov, who receives bounty money from most Chrome security updates, was not listed in yesterday's tally. Glazunov is the only researcher who had received Google's top bounty of $3,133, which he's done twice.

Only Google and Mozilla pay bounties to independent security researchers who report browser bugs. Both companies have argued that bounties, although nowhere near the money that a criminally-inclined researcher could receive on the black market, improve the security of their applications.

"If you launch a vulnerability reward program, you will receive more vulnerability reports from a wider range of researchers," said Chris Evans, a Google security engineer, in a post to his personal blog last month. "The power of credit and prestige is often cited as an argument to not launch a reward program, but the fact remains that you will get more reports if you have a program in place. And as long as you have a culture of fixing security bugs promptly, your users will be safer thanks to having a reward program."

So far this year, Google has paid out over $94,000 in bug bounties.

Chrome's "stable" channel -- the build that's akin to what other developers call their "released" line -- was updated to version 12 earlier this month, so Tuesday's update did not come with any new features. But with the beta build now at 13, it's likely that the stable edition will reach the same in mid-to-late July.

Google has Chrome on a rapid-release schedule that ups the version count every six-to-eight weeks. Mozilla now apes that faster pace for its Firefox, which is on a six-week cycle.

According to Web metrics firm Net Applications, Chrome accounted for 12.5% of all browsers used worldwide last month.

Existing copies of Chrome will be updated automatically to the patched edition by Google's silent, in-the-background update service.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.