Google on 24 March sewed up six security holes in its Chrome web browser with an upgrade to the stable and beta channels for Chrome 10.0.648.204 for Windows, Mac, Linux and Chrome Frame.
The search engine, which in this upgrade also added support for the browser’s password manager on Linux, and fortified Chrome’s performance and stability, paid out $8,500 (£5,300) to the discoverers of the six vulnerabilities, all of which were rated high risk.
The holes include a buffer error in base string handling, for which Google paid $500; use-after-free in the frame loader, which earned the finder $1,000; and a use-after-free in HTML Collection that netted the discovery $2,000.
A stale pointer hole in CSS handling cost Google $1,500. Another stale pointer, albeit in SVG text handling, earned the finder $1,500. Lastly, Google made a $2,000 payout for a DOM tree corruption with broken node parentage.
Google in January launched its Chromium Security Rewards programme, a controlled, crowdsourced approach to letting developers earn money by helping Google squash bugs in the open-source web browser.
The programme has since paid developers who found flaws more than $100,000 in rewards. Before this latest sextet of vulnerabilities, Google on 8 March patched 25 flaws to prepare for the Pwn2Own hacking contest, where it promised $20,000 to the first person who could hack Chrome. Google won.
Google, which records its changes in a log, said it is keeping technical details of the new patched holes under wraps until a majority of users are up to date with the fix.
The latest Chrome update also included two reissued and blacklisted SSL (secure socket layer) certificates to protect against the theft of nine digital certificates from a Comodo reseller. Computerworld sniffed out the reissues, which are detailed in the Chromium security log.
Attackers impersonating a Comodo Security partner grabbed nine valid digital certificates for seven domains belonging to Microsoft, Google, Yahoo and Skype.
While Comodo revoked the certificates immediately, Google, Mozilla and Microsoft each issued updates to block the certificates and warn users if they tried to connect to fake sites.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…