Google patches Chrome for second time in eight days
Fixes 12 flaws and updates bundled Flash Player to patch two more
Computerworld - Google on Thursday patched 12 Chrome vulnerabilities, the second time in eight days that the search company has updated its browser.
Most of the vulnerabilities -- eight of the dozen -- were identified as "use-after-free" bugs, a common type of memory vulnerability that researchers have found in large numbers within Chrome using Google's own AddressSanitizer detection tool.
Seven of the 12 bugs were rated "high," the second-most-serious ranking in Google's scoring system. Four were marked "medium" and one was labeled "low."
Google paid $6,000 in bounties to three researchers for reporting seven of the vulnerabilities. The others were unearthed by Google's own security team or were ineligible for a finder's fee.
One of the latter had been forwarded to Google by HP TippingPoint, which operates the Zero Day Initiative (ZDI) bug bounty program. Google does not pay bounties for vulnerabilities submitted to ZDI -- it only rewards researchers who have not been otherwise compensated -- a decision that has created friction between Google and ZDI in the past.
Among those who received checks were Arthur Gerkis and someone who goes by the nickname "miaubiz," two of three researchers who were awarded special $10,000 bonuses a month ago for what Google called "sustained, extraordinary" contributions.
Miaubiz took home $4,500 for his work.
Sergey Glazunov, one of those who pocketed $60,000 at the Pwnium hacking challenge Google sponsored last month, reported two of the 12 vulnerabilities. Neither was significant enough to rate a bounty payment, however.
Google has paid more than $216,000 in bug bounties this year, including $120,000 it distributed during Pwnium.
Thursday's update to Chrome 18 also included a new version of Adobe Flash Player that patched two critical memory corruption vulnerabilities in the Chrome interface. The pair, unique to the Flash Player bundled with the browser, were reported by a Google security engineer and a team from IBM's X-Force Research group.
According to the advisory that accompanied Thursday's update, Google also fixed several non-security issues, including some related to hardware acceleration, a feature the company switched on in Chrome when version 18 debuted March 28.
Chrome accounted for 18.6% of the browsers used worldwide last month, a decrease of about a third of a percentage point from February, said Internet measurement vendor Net Applications earlier this week. Chrome's usage share has declined three months running, and is down about 3% since the start of the year.
The patched version of Chrome 18 can be downloaded for Windows, Mac OS X and Linux from Google's website. Already installed copies of the browser will be updated automatically by Chrome's silent service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- HTTP Status Code Cheat Sheet Look at the Graph, Find the Code and Boom - You're Solving Problems. Identifying and understanding common HTTP status codes can go a...
- Architects lead the next generation of data-driven applications Read this whitepaper to find out how application architects can quickly and confidently deliver long-lasting applications that minimize cost, complexity, and risk while...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Desktop Apps White Papers | Webcasts