Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 52 Patches 48 Vulnerabilities

Google on Wednesday released Chrome 52 in the stable channel and revealed that no less than 48 security vulnerabilities were resolved in the popular web browser.

Google on Wednesday released Chrome 52 in the stable channel and revealed that no less than 48 security vulnerabilities were resolved in the popular web browser.

A total of 11 High risk vulnerabilities disclosed by external researchers were patched in Chrome 52, along with 6 Medium severity ones. However, the Internet giant didn’t reveal the bug bounties paid to all 17 security flaws as of now.

The most important of the patched bugs is a sandbox escape in Pepper Plugin API (PPAPI), the cross-platform API for Native Client-secured web browser plugins. Tracked as CVE-2016-1706, the vulnerability is considered High risk and was discovered by Pinkie Pie, who was awarded $15,000 for the discovery.

Next in line is a URL spoofing on iOS, tracked as CVE-2016-1707 and credited to xisigr of Tencent’s Xuanwu Lab. This High risk bug earned the researcher a $3,000 bounty, Google revealed in its advisory.

The bounties for the remaining 9 High severity flaws will be disclosed at a later date. The issues include a Use-after-free in Extensions (CVE-2016-1708), a Heap-buffer-overflow in sfntly (CVE-2016-1709), Same-origin bypass in Blink (CVE-2016-1710 and CVE-2016-1711), Use-after-free in Blink (CVE-2016-5127), Same-origin bypass in V8 (CVE-2016-5128), Memory corruption in V8 (CVE-2016-5129), URL spoofing (CVE-2016-5130), and Use-after-free in libxml (CVE-2016-5131).

Of the Medium risk issues, two were awarded with $1,000 bounties each (CVE-2016-5132: limited same-origin bypass in Service Workers; and CVE-2016-5133: origin confusion in proxy authentication) and two were awarded $500 each (CVE-2016-5134: URL leakage via PAC script; and CVE-2016-5135: Content-Security-Policy bypass). The bounties for the remaining two (CVE-2016-5136: use after free in extensions; and CVE-2016-5137: history sniffing with HSTS and CSP) are yet to be disclosed.

Additionally, Google announced that its internal security work was responsible for discovering and patching a variety of other vulnerabilities.

Fixes for all of the security issues mentioned above, as well as for those that Google hasn’t revealed as of now, are included in the Chrome 52.0.2743.82 release. The new browser version is available for Windows, Mac and Linux users.

Advertisement. Scroll to continue reading.

The previous major Chrome release (version 51.0.2704.63) arrived in late May with patches for 42 vulnerabilities inside. At the time, Google announced it paid $65,000 in bug bounties for 23 flaws disclosed by external researchers. Also in May, Google resolved multiple High risk vulnerabilities in Chrome 50.

Related: Google Tightens Security Rules for Chrome Extensions

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.