Security Experts:

Connect with us

Hi, what are you looking for?



Chrome 49 Released with 26 Security Fixes

Google on Wednesday released Chrome 49 in the stable channel for Windows, Mac and Linux, providing users with 26 security fixes and various other improvements.

Google on Wednesday released Chrome 49 in the stable channel for Windows, Mac and Linux, providing users with 26 security fixes and various other improvements.

The new browser release is available as version 49.0.2623.75 and was meant to resolve 8 High severity vulnerabilities and five Medium ones reported by external researchers. Google hasn’t released information on all of the flaws patched in this update, but did reveal that it paid nearly $40,000 in bug bounties, with an additional $14,500 in rewards issued for security bugs present on non-stable channels.

One of the most important vulnerabilities in this release was a same-origin bypass flaw in Blink (CVE-2016-1630) and a same-origin bypass in Pepper Plugin (CVE-2016-1631), which earned Mariusz Mlynski $8,000 and $7,500, respectively. Next in line was a bad cast in Extensions (CVE-2016-1632) valued at $5,000, which was disclosed by an anonymous researcher.

Two use-after-free in Blink flaws (CVE-2016-1633 and CVE-2016-1634) were disclosed by cloudfuzzer and were valued at $3,000, while a third similar vulnerability (CVE-2016-1635) earned Rob Wu $2,000. Google paid an additional $2,000 for a SRI Validation Bypass issue (CVE-2016-1636) and $500 for an out-of-bounds access in libpng flaw (CVE-2015-8126).

The most valuable Medium severity vulnerability patched in Chrome 49 was an information leak in Skia flaw, which earned Keve Nagy $2,000. Google also resolved three Medium severity issues valued at $1,000 each, namely WebAPI Bypass (CVE-2016-1638), Use-after-free in WebRTC (CVE-2016-1639), and origin confusion in Extensions UI (CVE-2016-1640), which were discovered by Rob Wu, Khalil Zhani, and Luan Herrera, respectively.

The fifth Medium severity flaw patched in Chrome 49 that was signaled to Google by an external researcher was a Use-after-free in Favicon issue (CVE-2016-1641) that earned Atte Kettunen of OUSPG a $500 reward.

According to Google, its internal testers were also responsible for a series of fixes in the new browser release. Among these, the company includes various fixes from internal audits, fuzzing and other initiatives (CVE-2016-1642) and notes that multiple vulnerabilities in V8 were fixed at the tip of the 4.9 branch (currently 4.9.385.26).

As usual, access to bug details and links are kept restricted until the fixes reach a majority of users, with the restrictions remaining in place for bugs that exist in third party libraries that other projects depend on but haven’t yet fixed.

Roughly two weeks ago, Google released Chrome 48.0.2564.116 for Windows, Mac, and Linux to resolve a Critical flaw in the browser, after paying a $25,633.7 bounty to the anonymous researcher who discovered it. In January, the company patched 37 security vulnerabilities in the browser with the release of Chrome 48, while Chrome 47, which arrived in December, resolved 41 security issues.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.