Security Experts:

Connect with us

Hi, what are you looking for?



Chrome 49 Released with 26 Security Fixes

Google on Wednesday released Chrome 49 in the stable channel for Windows, Mac and Linux, providing users with 26 security fixes and various other improvements.

Google on Wednesday released Chrome 49 in the stable channel for Windows, Mac and Linux, providing users with 26 security fixes and various other improvements.

The new browser release is available as version 49.0.2623.75 and was meant to resolve 8 High severity vulnerabilities and five Medium ones reported by external researchers. Google hasn’t released information on all of the flaws patched in this update, but did reveal that it paid nearly $40,000 in bug bounties, with an additional $14,500 in rewards issued for security bugs present on non-stable channels.

One of the most important vulnerabilities in this release was a same-origin bypass flaw in Blink (CVE-2016-1630) and a same-origin bypass in Pepper Plugin (CVE-2016-1631), which earned Mariusz Mlynski $8,000 and $7,500, respectively. Next in line was a bad cast in Extensions (CVE-2016-1632) valued at $5,000, which was disclosed by an anonymous researcher.

Two use-after-free in Blink flaws (CVE-2016-1633 and CVE-2016-1634) were disclosed by cloudfuzzer and were valued at $3,000, while a third similar vulnerability (CVE-2016-1635) earned Rob Wu $2,000. Google paid an additional $2,000 for a SRI Validation Bypass issue (CVE-2016-1636) and $500 for an out-of-bounds access in libpng flaw (CVE-2015-8126).

The most valuable Medium severity vulnerability patched in Chrome 49 was an information leak in Skia flaw, which earned Keve Nagy $2,000. Google also resolved three Medium severity issues valued at $1,000 each, namely WebAPI Bypass (CVE-2016-1638), Use-after-free in WebRTC (CVE-2016-1639), and origin confusion in Extensions UI (CVE-2016-1640), which were discovered by Rob Wu, Khalil Zhani, and Luan Herrera, respectively.

The fifth Medium severity flaw patched in Chrome 49 that was signaled to Google by an external researcher was a Use-after-free in Favicon issue (CVE-2016-1641) that earned Atte Kettunen of OUSPG a $500 reward.

According to Google, its internal testers were also responsible for a series of fixes in the new browser release. Among these, the company includes various fixes from internal audits, fuzzing and other initiatives (CVE-2016-1642) and notes that multiple vulnerabilities in V8 were fixed at the tip of the 4.9 branch (currently 4.9.385.26).

As usual, access to bug details and links are kept restricted until the fixes reach a majority of users, with the restrictions remaining in place for bugs that exist in third party libraries that other projects depend on but haven’t yet fixed.

Roughly two weeks ago, Google released Chrome 48.0.2564.116 for Windows, Mac, and Linux to resolve a Critical flaw in the browser, after paying a $25,633.7 bounty to the anonymous researcher who discovered it. In January, the company patched 37 security vulnerabilities in the browser with the release of Chrome 48, while Chrome 47, which arrived in December, resolved 41 security issues.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.