Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 49 Released with 26 Security Fixes

Google on Wednesday released Chrome 49 in the stable channel for Windows, Mac and Linux, providing users with 26 security fixes and various other improvements.

Google on Wednesday released Chrome 49 in the stable channel for Windows, Mac and Linux, providing users with 26 security fixes and various other improvements.

The new browser release is available as version 49.0.2623.75 and was meant to resolve 8 High severity vulnerabilities and five Medium ones reported by external researchers. Google hasn’t released information on all of the flaws patched in this update, but did reveal that it paid nearly $40,000 in bug bounties, with an additional $14,500 in rewards issued for security bugs present on non-stable channels.

One of the most important vulnerabilities in this release was a same-origin bypass flaw in Blink (CVE-2016-1630) and a same-origin bypass in Pepper Plugin (CVE-2016-1631), which earned Mariusz Mlynski $8,000 and $7,500, respectively. Next in line was a bad cast in Extensions (CVE-2016-1632) valued at $5,000, which was disclosed by an anonymous researcher.

Two use-after-free in Blink flaws (CVE-2016-1633 and CVE-2016-1634) were disclosed by cloudfuzzer and were valued at $3,000, while a third similar vulnerability (CVE-2016-1635) earned Rob Wu $2,000. Google paid an additional $2,000 for a SRI Validation Bypass issue (CVE-2016-1636) and $500 for an out-of-bounds access in libpng flaw (CVE-2015-8126).

The most valuable Medium severity vulnerability patched in Chrome 49 was an information leak in Skia flaw, which earned Keve Nagy $2,000. Google also resolved three Medium severity issues valued at $1,000 each, namely WebAPI Bypass (CVE-2016-1638), Use-after-free in WebRTC (CVE-2016-1639), and origin confusion in Extensions UI (CVE-2016-1640), which were discovered by Rob Wu, Khalil Zhani, and Luan Herrera, respectively.

The fifth Medium severity flaw patched in Chrome 49 that was signaled to Google by an external researcher was a Use-after-free in Favicon issue (CVE-2016-1641) that earned Atte Kettunen of OUSPG a $500 reward.

According to Google, its internal testers were also responsible for a series of fixes in the new browser release. Among these, the company includes various fixes from internal audits, fuzzing and other initiatives (CVE-2016-1642) and notes that multiple vulnerabilities in V8 were fixed at the tip of the 4.9 branch (currently 4.9.385.26).

As usual, access to bug details and links are kept restricted until the fixes reach a majority of users, with the restrictions remaining in place for bugs that exist in third party libraries that other projects depend on but haven’t yet fixed.

Advertisement. Scroll to continue reading.

Roughly two weeks ago, Google released Chrome 48.0.2564.116 for Windows, Mac, and Linux to resolve a Critical flaw in the browser, after paying a $25,633.7 bounty to the anonymous researcher who discovered it. In January, the company patched 37 security vulnerabilities in the browser with the release of Chrome 48, while Chrome 47, which arrived in December, resolved 41 security issues.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.