CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Chrome 51 Patches 42 Security Vulnerabilities

Released on Wednesday in the stable channel, Chrome 51 patches 42 security vulnerabilities, including 23 flaws that have been disclosed by external researchers.

Released on Wednesday in the stable channel, Chrome 51 patches 42 security vulnerabilities, including 23 flaws that have been disclosed by external researchers.

The popular web browser is now available for download as version 51.0.2704.63 for Windows, Mac and Linux computers and packs multiple fixes and improvements alongside the aforementioned security patches. Krishna Govind, Google Chrome team, notes that the Internet giant paid over $65,000 in bug bounties for the 23 vulnerabilities credited to external researchers.

Of these 23 flaws, 9 were rated High severity, 10 were rated Medium risk, while 4 were rated Low severity. A quick look over the list of bugs shows that several researchers disclosed multiple issues each: Mariusz Mlynski and Rob Wu were each credited for four flaws, Atte Kettunen for three, while Nicolas Gregoire and Ke Liu were credited for two flaws each.

By disclosing four High severity vulnerabilities in Chrome, each valued at $7,500, Mariusz Mlynski earned a total of $30,000. These flaws are CVE-2016-1672 (Cross-origin bypass in extension bindings), CVE-2016-1673 (Cross-origin bypass in Blink), CVE-2016-1674 (Cross-origin bypass in extensions), and CVE-2016-1675 (Cross-origin bypass in Blink).

Another Cross-origin bypass flaw in extension bindings (CVE-2016-1676) earned Rob Wu $7,500. The remaining four High risk flaws patched in Chrome 51 include a Heap overflow in V8 (CVE-2016-1678) credited to Christian Holler; a Heap use-after-free in V8 bindings (CVE-2016-1679), credited to Rob Wu; a Heap use-after-free in Skia (CVE-2016-1680), credited to Atte Kettunen of OUSPG; and a Heap overflow in PDFium (CVE-2016-1681), credited to Aleksandar Nikolic of Cisco Talos.

Google paid $3,500 for the first two of these and $3,000 for the other two, which was less than what Guang Gong of Qihoo 360 received for a Medium risk Type confusion issue in V8 (CVE-2016-1677), namely $4,000.

The remaining Medium risk bugs in Chrome were awarded $1,000 each: CSP bypass for ServiceWorker (CVE-2016-1682), Out-of-bounds access in libxslt (CVE-2016-1683), Integer overflow in libxslt (CVE-2016-1684), Out-of-bounds read in PDFium (CVE-2016-1685), Out-of-bounds read in PDFium (CVE-2016-1686), Information leak in extensions (CVE-2016-1687), Out-of-bounds read in V8 (CVE-2016-1688), Heap buffer overflow in media (CVE-2016-1689), and Heap use-after-free in Autofill (CVE-2016-1690).

There were four Low severity vulnerabilities patched in Chrome 51, evaluated at $500 each: Heap buffer-overflow in Skia (CVE-2016-1691), Limited cross-origin bypass in ServiceWorker (CVE-2016-1692), HTTP Download of Software Removal Tool (CVE-2016-1693), and HPKP pins removed on cache clearance (CVE-2016-1694).

Advertisement. Scroll to continue reading.

Additionally, Google says that the new browser release packs fixes for security issues that have been disclosed from internal audits, fuzzing and other initiatives. According to the company, many of these security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.

Chrome 50, the previous major browser version, was released in the stable channel on April 14, with 20 security patches inside. Google released two security updates for it over one-month period, namely Chrome 50.0.2661.94 at the end of April and Chrome 50.0.2661.102 on May 11, meant to resolve 14 flaws in the application, most of which were High severity issues.

In March, Chrome 49 and two subsequent security updates patched a total of 34 vulnerabilities in the browser, including 15 High risk bugs disclosed by external researchers.

Related: Google Tightens Security Rules for Chrome Extensions

Related: Critical, High Severity Flaws Patched in Firefox

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.