Google patches Chrome for second time in eight days
Fixes 12 flaws and updates bundled Flash Player to patch two more
Computerworld - Google on Thursday patched 12 Chrome vulnerabilities, the second time in eight days that the search company has updated its browser.
Most of the vulnerabilities -- eight of the dozen -- were identified as "use-after-free" bugs, a common type of memory vulnerability that researchers have found in large numbers within Chrome using Google's own AddressSanitizer detection tool.
Seven of the 12 bugs were rated "high," the second-most-serious ranking in Google's scoring system. Four were marked "medium" and one was labeled "low."
Google paid $6,000 in bounties to three researchers for reporting seven of the vulnerabilities. The others were unearthed by Google's own security team or were ineligible for a finder's fee.
One of the latter had been forwarded to Google by HP TippingPoint, which operates the Zero Day Initiative (ZDI) bug bounty program. Google does not pay bounties for vulnerabilities submitted to ZDI -- it only rewards researchers who have not been otherwise compensated -- a decision that has created friction between Google and ZDI in the past.
Among those who received checks were Arthur Gerkis and someone who goes by the nickname "miaubiz," two of three researchers who were awarded special $10,000 bonuses a month ago for what Google called "sustained, extraordinary" contributions.
Miaubiz took home $4,500 for his work.
Sergey Glazunov, one of those who pocketed $60,000 at the Pwnium hacking challenge Google sponsored last month, reported two of the 12 vulnerabilities. Neither was significant enough to rate a bounty payment, however.
Google has paid more than $216,000 in bug bounties this year, including $120,000 it distributed during Pwnium.
Thursday's update to Chrome 18 also included a new version of Adobe Flash Player that patched two critical memory corruption vulnerabilities in the Chrome interface. The pair, unique to the Flash Player bundled with the browser, were reported by a Google security engineer and a team from IBM's X-Force Research group.
According to the advisory that accompanied Thursday's update, Google also fixed several non-security issues, including some related to hardware acceleration, a feature the company switched on in Chrome when version 18 debuted March 28.
Chrome accounted for 18.6% of the browsers used worldwide last month, a decrease of about a third of a percentage point from February, said Internet measurement vendor Net Applications earlier this week. Chrome's usage share has declined three months running, and is down about 3% since the start of the year.
The patched version of Chrome 18 can be downloaded for Windows, Mac OS X and Linux from Google's website. Already installed copies of the browser will be updated automatically by Chrome's silent service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- Architects lead the next generation of data-driven applications Read this whitepaper to find out how application architects can quickly and confidently deliver long-lasting applications that minimize cost, complexity, and risk while...
- HTTP Status Code Cheat Sheet Look at the Graph, Find the Code and Boom - You're Solving Problems. Identifying and understanding common HTTP status codes can go a...
- Simple Solution, Big Capability Meet growing employee and business demands by connecting up to 1,000 users with powerful collaboration capabilities with a single, integrated platform -- Cisco...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Cloud BI in Action: Recorded Webinar of Customer, Kony, Inc. See how Kony, Inc., a leading enterprise mobility company, is using TIBCO Jaspersoft for Amazon Web Services and Redshift to achieve embedded analytics...
- Cloud BI Overview: Jaspersoft for AWS Check out this overview of Jaspersoft for AWS, to easily and affordably build business intelligence solutions as well as embed visualizations and analytics... All Desktop Apps White Papers | Webcasts