Google pays record $26K in Chrome bug bounties
Revamps New Tab page with upgrade to Chrome 15
Computerworld - Google paid out a record $26,511 in bug bounties to researchers who reported some of the 18 Chrome vulnerabilities patched today.
The company also upgraded the stable version of the browser to version 15, which sports a revamped New Tab page.
Google last refreshed Chrome on Sept. 16, just over five weeks ago. Google produces an update to its "stable" channel about every six weeks, a practice that rival Mozilla copied with the debut of Firefox 5 last June.
Eleven of the 18 vulnerabilities were rated "high," the second-most-serious ranking in Google's scoring system, while three were tagged "medium" and another four were marked "low."
Google paid $26,511 in bounties, a record, to four researchers, including $13,674 to Sergey Glazunov and $10,337 to "miaubiz," a pair of regular Chrome vulnerability finders who together have accounted for 57% of all bug payments this year. Google has laid out over $170,000 in bounties so far during 2011.
The previous bounty record, set more than two months ago, was $17,000.
Glazunov and miaubiz collected their five-figure checks for reporting multiple bugs that Google then combined into one CVE (Common Vulnerabilities & Exposures) identifier.
Glazunov, for example, was awarded $12,147 for five bugs that Google named only as "cross-origin policy violations" and pooled under a single CVE in its typically terse description.
Miaubiz, meanwhile, was paid $6,337 for one CVE that actually contained six different bugs tracked by Google in its change database.
As is its habit, Google barred access to the bug tracker database for all the vulnerabilities to prevent outsiders from obtaining details on the flaws.
Most of the bugs uncovered by miaubiz, said Google, were discovered using the company's memory error detection tool, AddressSanitizer, that it released in June.
AddressSanitizer can detect a variety of errors, including "use-after-free" memory management bugs like the ones reported by miaubiz.
Google also said it updated Chrome to stymie BEAST, for "Browser Exploit Against SSL/TLS," a hacking tool released last month that attacks browsers and decrypts cookies, potentially giving attackers access to encrypted website log-on credentials.
Previously, Google had added anti-BEAST protection to Chrome's "dev" and "beta" channels, the rougher-edged versions that precede the stable build.
Microsoft has promised to patch Windows so that its Internet Explorer isn't vulnerable to BEAST's attacks, but has not set a timetable.
Chrome 15's most obvious change, however, is the redesigned New Tab page that appears when users click the right-most tab at the top of the browser's window or press the Ctrl-T key combination.
The new format offers easier navigation between online apps and most-used websites, the ability to organize apps by dragging and dropping, and a simpler way to remove apps or site from the screen.
Chrome 15 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically via the browser's behind-the-scenes service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Chrome users won't give up, keep pressing Google to restore old-style new tab page
- Google quashes 31 vulnerabilities, restores Metro mode 'steppers' with Chrome 34
- Firefox's UI face-lift on track for April debut
- Ex-Mozilla engineer blames Microsoft's rules for Metro Firefox's death
- Mozilla patches 20 Firefox flaws, plugs Pwn2Own holes
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts