Google Fixes Security Holes with Chrome 59

Tuesday, June 6, 2017 @ 05:06 PM gHale

Google released Chrome 59 which fixes multiple security vulnerabilities.

Thirty vulnerabilities ended up fixed in the latest version of the web browser, including quite a few reported by external researchers. The experts who contributed to making Chrome more secure earned more than $23,000.

Chrome Bug Records Audio, Video
Tor Moves to Cut Guard-Capture Attacks
Security Updates for Tor Browser
Chrome Updated with Security Fixes

The most serious of the vulnerabilities came to Google from Zhao Qixun, aka S0rryMybad, of the Qihoo 360 Vulcan Team. The researcher discovered a high severity type confusion flaw in the V8 JavaScript engine (CVE-2017-5070) that earned him $7,500.

In April, Choongwoo Han and Rayyan Bijoora reported high severity out-of-bounds read (CVE-2017-5071) and omnibox address spoofing (CVE-2017-5072) flaws that earned them each $3,000.

High severity use-after-free bugs ended up found by Khalil Zhani and an anonymous researcher, which brought them $2,000 and $1,000, respectively. Emmanuel Gil Peyrot also picked up a cool $2,000 for disclosing a medium severity information disclosure issue in CSP reporting.

The list of medium and low severity vulnerabilities patched with the release of Chrome 59 have been described as omnibox address spoofing, Skia buffer overflow, command injection in mailto handling, Blink user interface spoofing, extension verification bypass, and inappropriate JavaScript execution on WebUI pages.

Researchers also found a use-after-free vulnerability in the credit card autofill feature, and discovered the credit card editor had been insufficiently hardened.

Leave a Reply

You must be logged in to post a comment.