Chrome Cuts Vulnerabilities in Update

Friday, December 16, 2011 @ 02:12 PM gHale


It was a busy day at Google the other day as the company patched 15 vulnerabilities in Chrome, paid $6,000 in bounties to bug hunters who found them, and also updated the browser to version 16.

Six of the 15 vulnerabilities patched Tuesday were “high,” the second-most-serious ranking in Google’s system, while seven were labeled “medium” and another two were tagged as “low.”

RELATED STORIES
Google Looks at HTTPS Security
Google Fixes Chrome Hole, Again
Vulnerability Leader: Google
Patched Adobe Still has Victims

Google last refreshed Chrome seven weeks ago. Google produces an update to its “stable” channel about every six to eight weeks, a slightly more flexible schedule than Mozilla’s every-six-week pace.

Google paid $6,000 in bounties, or less than a fourth of what it laid out in October, to five researchers for reporting seven bugs. Google’s own security team found the eight other vulnerabilities.

The company has paid just over $180,000 so far this year in bounties to outside researchers.

Several of the bugs, including a pair attributed to independent researcher Arthur Gerkis, were found using Google’s memory error detection tool, AddressSanitizer. Released in June, AddressSanitizer can detect a variety of errors, including “use-after-free” memory management bugs like those reported by Gerkis.

Four of the flaws relate to Google’s parsing of PDF documents — the browser includes a built-in PDF viewer, eliminating the need to launch Adobe’s free Reader application — while two others were in Chrome’s processing of SVG (scalar vector graphics) images.

Per its usual practice, Google blocked access to its bug tracking database for all 15 vulnerabilities to prevent outsiders from obtaining details they could use to craft exploits. Google typically opens up the database weeks or even months later, after it’s sure a majority of users have had their browsers upgraded by Chrome’s silent updating process.

Google usually includes only a handful of obvious changes in each Chrome upgrade, and held to that practice yesterday: The sole feature it touted was the option to add additional users to Chrome so that several people could use the browser on a shared Mac or PC, but keep their synchronized content — bookmarks, passwords, installed apps, and more — separate.



Leave a Reply

You must be logged in to post a comment.