Released on Wednesday in the stable channel, Chrome 51 patches 42 security vulnerabilities, including 23 flaws that have been disclosed by external researchers.
The popular web browser is now available for download as version 51.0.2704.63 for Windows, Mac and Linux computers and packs multiple fixes and improvements alongside the aforementioned security patches. Krishna Govind, Google Chrome team, notes that the Internet giant paid over $65,000 in bug bounties for the 23 vulnerabilities credited to external researchers.
Of these 23 flaws, 9 were rated High severity, 10 were rated Medium risk, while 4 were rated Low severity. A quick look over the list of bugs shows that several researchers disclosed multiple issues each: Mariusz Mlynski and Rob Wu were each credited for four flaws, Atte Kettunen for three, while Nicolas Gregoire and Ke Liu were credited for two flaws each.
By disclosing four High severity vulnerabilities in Chrome, each valued at $7,500, Mariusz Mlynski earned a total of $30,000. These flaws are CVE-2016-1672 (Cross-origin bypass in extension bindings), CVE-2016-1673 (Cross-origin bypass in Blink), CVE-2016-1674 (Cross-origin bypass in extensions), and CVE-2016-1675 (Cross-origin bypass in Blink).
Another Cross-origin bypass flaw in extension bindings (CVE-2016-1676) earned Rob Wu $7,500. The remaining four High risk flaws patched in Chrome 51 include a Heap overflow in V8 (CVE-2016-1678) credited to Christian Holler; a Heap use-after-free in V8 bindings (CVE-2016-1679), credited to Rob Wu; a Heap use-after-free in Skia (CVE-2016-1680), credited to Atte Kettunen of OUSPG; and a Heap overflow in PDFium (CVE-2016-1681), credited to Aleksandar Nikolic of Cisco Talos.
Google paid $3,500 for the first two of these and $3,000 for the other two, which was less than what Guang Gong of Qihoo 360 received for a Medium risk Type confusion issue in V8 (CVE-2016-1677), namely $4,000.
The remaining Medium risk bugs in Chrome were awarded $1,000 each: CSP bypass for ServiceWorker (CVE-2016-1682), Out-of-bounds access in libxslt (CVE-2016-1683), Integer overflow in libxslt (CVE-2016-1684), Out-of-bounds read in PDFium (CVE-2016-1685), Out-of-bounds read in PDFium (CVE-2016-1686), Information leak in extensions (CVE-2016-1687), Out-of-bounds read in V8 (CVE-2016-1688), Heap buffer overflow in media (CVE-2016-1689), and Heap use-after-free in Autofill (CVE-2016-1690).
There were four Low severity vulnerabilities patched in Chrome 51, evaluated at $500 each: Heap buffer-overflow in Skia (CVE-2016-1691), Limited cross-origin bypass in ServiceWorker (CVE-2016-1692), HTTP Download of Software Removal Tool (CVE-2016-1693), and HPKP pins removed on cache clearance (CVE-2016-1694).
Additionally, Google says that the new browser release packs fixes for security issues that have been disclosed from internal audits, fuzzing and other initiatives. According to the company, many of these security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.
Chrome 50, the previous major browser version, was released in the stable channel on April 14, with 20 security patches inside. Google released two security updates for it over one-month period, namely Chrome 50.0.2661.94 at the end of April and Chrome 50.0.2661.102 on May 11, meant to resolve 14 flaws in the application, most of which were High severity issues.
In March, Chrome 49 and two subsequent security updates patched a total of 34 vulnerabilities in the browser, including 15 High risk bugs disclosed by external researchers.
Related: Google Tightens Security Rules for Chrome Extensions