Google Pays For Chrome Fixes

Google on 24 March sewed up six security holes in its Chrome web browser with an upgrade to the stable and beta channels for Chrome 10.0.648.204 for Windows, Mac, Linux and Chrome Frame.

The search engine, which in this upgrade also added support for the browser’s password manager on Linux, and fortified Chrome’s performance and stability, paid out $8,500 (£5,300) to the discoverers of the six vulnerabilities, all of which were rated high risk.

High-risk flaws

The holes include a buffer error in base string handling, for which Google paid $500; use-after-free in the frame loader, which earned the finder $1,000; and a use-after-free in HTML Collection that netted the discovery $2,000.

A stale pointer hole in CSS handling cost Google $1,500. Another stale pointer, albeit in SVG text handling, earned the finder $1,500. Lastly, Google made a $2,000 payout for a DOM tree corruption with broken node parentage.

Google in January launched its Chromium Security Rewards programme, a controlled, crowdsourced approach to letting developers earn money by helping Google squash bugs in the open-source web browser.

The programme has since paid developers who found flaws more than $100,000 in rewards. Before this latest sextet of vulnerabilities, Google on 8 March patched 25 flaws to prepare for the Pwn2Own hacking contest, where it promised $20,000 to the first person who could hack Chrome. Google won.

Google, which records its changes in a log, said it is keeping technical details of the new patched holes under wraps until a majority of users are up to date with the fix.

The latest Chrome update also included two reissued and blacklisted SSL (secure socket layer) certificates to protect against the theft of nine digital certificates from a Comodo reseller. Computerworld sniffed out the reissues, which are detailed in the Chromium security log.

Attackers impersonating a Comodo Security partner grabbed nine valid digital certificates for seven domains belonging to Microsoft, Google, Yahoo and Skype.

While Comodo revoked the certificates immediately, Google, Mozilla and Microsoft each issued updates to block the certificates and warn users if they tried to connect to fake sites.

Clint Boulton eWEEK USA 2012. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

7 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

9 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

11 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

1 day ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago