Google patches Chrome for second time in eight days
Fixes 12 flaws and updates bundled Flash Player to patch two more
Computerworld - Google on Thursday patched 12 Chrome vulnerabilities, the second time in eight days that the search company has updated its browser.
Most of the vulnerabilities -- eight of the dozen -- were identified as "use-after-free" bugs, a common type of memory vulnerability that researchers have found in large numbers within Chrome using Google's own AddressSanitizer detection tool.
Seven of the 12 bugs were rated "high," the second-most-serious ranking in Google's scoring system. Four were marked "medium" and one was labeled "low."
Google paid $6,000 in bounties to three researchers for reporting seven of the vulnerabilities. The others were unearthed by Google's own security team or were ineligible for a finder's fee.
One of the latter had been forwarded to Google by HP TippingPoint, which operates the Zero Day Initiative (ZDI) bug bounty program. Google does not pay bounties for vulnerabilities submitted to ZDI -- it only rewards researchers who have not been otherwise compensated -- a decision that has created friction between Google and ZDI in the past.
Among those who received checks were Arthur Gerkis and someone who goes by the nickname "miaubiz," two of three researchers who were awarded special $10,000 bonuses a month ago for what Google called "sustained, extraordinary" contributions.
Miaubiz took home $4,500 for his work.
Sergey Glazunov, one of those who pocketed $60,000 at the Pwnium hacking challenge Google sponsored last month, reported two of the 12 vulnerabilities. Neither was significant enough to rate a bounty payment, however.
Google has paid more than $216,000 in bug bounties this year, including $120,000 it distributed during Pwnium.
Thursday's update to Chrome 18 also included a new version of Adobe Flash Player that patched two critical memory corruption vulnerabilities in the Chrome interface. The pair, unique to the Flash Player bundled with the browser, were reported by a Google security engineer and a team from IBM's X-Force Research group.
According to the advisory that accompanied Thursday's update, Google also fixed several non-security issues, including some related to hardware acceleration, a feature the company switched on in Chrome when version 18 debuted March 28.
Chrome accounted for 18.6% of the browsers used worldwide last month, a decrease of about a third of a percentage point from February, said Internet measurement vendor Net Applications earlier this week. Chrome's usage share has declined three months running, and is down about 3% since the start of the year.
The patched version of Chrome 18 can be downloaded for Windows, Mac OS X and Linux from Google's website. Already installed copies of the browser will be updated automatically by Chrome's silent service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Gartner 2013 Magic Quadrant for Enterprise Backup/Recovery Software See why CommVault was positioned as the #1 leader in Gartner's 2013 Magic Quadrant for Enterprise Backup/Recovery software for the 3rd year in...
- Forrester Report: CommVault is a Leader in Enterprise Backup and Recovery In this report, Forrester takes a deep dive into the evaluation criteria, how CommVault is positioned and the features and functionality that make...
- Forrester Wave for Enterprise Backup and Recovery Read this report to see how CommVault continues to outpace its competitors and why Forrester positioned CommVault Simpana as the top backup and...
- Architecting the Network of the Future Networks need to change, as does the way IT thinks about and manages them. In addition to reliability, IT must now add higher...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Desktop Apps White Papers |