Google Pays For Chrome Fixes

Google on 24 March sewed up six security holes in its Chrome web browser with an upgrade to the stable and beta channels for Chrome 10.0.648.204 for Windows, Mac, Linux and Chrome Frame.

The search engine, which in this upgrade also added support for the browser’s password manager on Linux, and fortified Chrome’s performance and stability, paid out $8,500 (£5,300) to the discoverers of the six vulnerabilities, all of which were rated high risk.

High-risk flaws

The holes include a buffer error in base string handling, for which Google paid $500; use-after-free in the frame loader, which earned the finder $1,000; and a use-after-free in HTML Collection that netted the discovery $2,000.

A stale pointer hole in CSS handling cost Google $1,500. Another stale pointer, albeit in SVG text handling, earned the finder $1,500. Lastly, Google made a $2,000 payout for a DOM tree corruption with broken node parentage.

Google in January launched its Chromium Security Rewards programme, a controlled, crowdsourced approach to letting developers earn money by helping Google squash bugs in the open-source web browser.

The programme has since paid developers who found flaws more than $100,000 in rewards. Before this latest sextet of vulnerabilities, Google on 8 March patched 25 flaws to prepare for the Pwn2Own hacking contest, where it promised $20,000 to the first person who could hack Chrome. Google won.

Google, which records its changes in a log, said it is keeping technical details of the new patched holes under wraps until a majority of users are up to date with the fix.

The latest Chrome update also included two reissued and blacklisted SSL (secure socket layer) certificates to protect against the theft of nine digital certificates from a Comodo reseller. Computerworld sniffed out the reissues, which are detailed in the Chromium security log.

Attackers impersonating a Comodo Security partner grabbed nine valid digital certificates for seven domains belonging to Microsoft, Google, Yahoo and Skype.

While Comodo revoked the certificates immediately, Google, Mozilla and Microsoft each issued updates to block the certificates and warn users if they tried to connect to fake sites.

Clint Boulton eWEEK USA 2012. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago