Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 51 Patches 42 Security Vulnerabilities

Released on Wednesday in the stable channel, Chrome 51 patches 42 security vulnerabilities, including 23 flaws that have been disclosed by external researchers.

Released on Wednesday in the stable channel, Chrome 51 patches 42 security vulnerabilities, including 23 flaws that have been disclosed by external researchers.

The popular web browser is now available for download as version 51.0.2704.63 for Windows, Mac and Linux computers and packs multiple fixes and improvements alongside the aforementioned security patches. Krishna Govind, Google Chrome team, notes that the Internet giant paid over $65,000 in bug bounties for the 23 vulnerabilities credited to external researchers.

Of these 23 flaws, 9 were rated High severity, 10 were rated Medium risk, while 4 were rated Low severity. A quick look over the list of bugs shows that several researchers disclosed multiple issues each: Mariusz Mlynski and Rob Wu were each credited for four flaws, Atte Kettunen for three, while Nicolas Gregoire and Ke Liu were credited for two flaws each.

By disclosing four High severity vulnerabilities in Chrome, each valued at $7,500, Mariusz Mlynski earned a total of $30,000. These flaws are CVE-2016-1672 (Cross-origin bypass in extension bindings), CVE-2016-1673 (Cross-origin bypass in Blink), CVE-2016-1674 (Cross-origin bypass in extensions), and CVE-2016-1675 (Cross-origin bypass in Blink).

Another Cross-origin bypass flaw in extension bindings (CVE-2016-1676) earned Rob Wu $7,500. The remaining four High risk flaws patched in Chrome 51 include a Heap overflow in V8 (CVE-2016-1678) credited to Christian Holler; a Heap use-after-free in V8 bindings (CVE-2016-1679), credited to Rob Wu; a Heap use-after-free in Skia (CVE-2016-1680), credited to Atte Kettunen of OUSPG; and a Heap overflow in PDFium (CVE-2016-1681), credited to Aleksandar Nikolic of Cisco Talos.

Google paid $3,500 for the first two of these and $3,000 for the other two, which was less than what Guang Gong of Qihoo 360 received for a Medium risk Type confusion issue in V8 (CVE-2016-1677), namely $4,000.

The remaining Medium risk bugs in Chrome were awarded $1,000 each: CSP bypass for ServiceWorker (CVE-2016-1682), Out-of-bounds access in libxslt (CVE-2016-1683), Integer overflow in libxslt (CVE-2016-1684), Out-of-bounds read in PDFium (CVE-2016-1685), Out-of-bounds read in PDFium (CVE-2016-1686), Information leak in extensions (CVE-2016-1687), Out-of-bounds read in V8 (CVE-2016-1688), Heap buffer overflow in media (CVE-2016-1689), and Heap use-after-free in Autofill (CVE-2016-1690).

There were four Low severity vulnerabilities patched in Chrome 51, evaluated at $500 each: Heap buffer-overflow in Skia (CVE-2016-1691), Limited cross-origin bypass in ServiceWorker (CVE-2016-1692), HTTP Download of Software Removal Tool (CVE-2016-1693), and HPKP pins removed on cache clearance (CVE-2016-1694).

Additionally, Google says that the new browser release packs fixes for security issues that have been disclosed from internal audits, fuzzing and other initiatives. According to the company, many of these security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.

Chrome 50, the previous major browser version, was released in the stable channel on April 14, with 20 security patches inside. Google released two security updates for it over one-month period, namely Chrome 50.0.2661.94 at the end of April and Chrome 50.0.2661.102 on May 11, meant to resolve 14 flaws in the application, most of which were High severity issues.

In March, Chrome 49 and two subsequent security updates patched a total of 34 vulnerabilities in the browser, including 15 High risk bugs disclosed by external researchers.

Related: Google Tightens Security Rules for Chrome Extensions

Related: Critical, High Severity Flaws Patched in Firefox

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.