Connect with us

Hi, what are you looking for?



Chrome 52 Patches 48 Vulnerabilities

Google on Wednesday released Chrome 52 in the stable channel and revealed that no less than 48 security vulnerabilities were resolved in the popular web browser.

Google on Wednesday released Chrome 52 in the stable channel and revealed that no less than 48 security vulnerabilities were resolved in the popular web browser.

A total of 11 High risk vulnerabilities disclosed by external researchers were patched in Chrome 52, along with 6 Medium severity ones. However, the Internet giant didn’t reveal the bug bounties paid to all 17 security flaws as of now.

The most important of the patched bugs is a sandbox escape in Pepper Plugin API (PPAPI), the cross-platform API for Native Client-secured web browser plugins. Tracked as CVE-2016-1706, the vulnerability is considered High risk and was discovered by Pinkie Pie, who was awarded $15,000 for the discovery.

Next in line is a URL spoofing on iOS, tracked as CVE-2016-1707 and credited to xisigr of Tencent’s Xuanwu Lab. This High risk bug earned the researcher a $3,000 bounty, Google revealed in its advisory.

The bounties for the remaining 9 High severity flaws will be disclosed at a later date. The issues include a Use-after-free in Extensions (CVE-2016-1708), a Heap-buffer-overflow in sfntly (CVE-2016-1709), Same-origin bypass in Blink (CVE-2016-1710 and CVE-2016-1711), Use-after-free in Blink (CVE-2016-5127), Same-origin bypass in V8 (CVE-2016-5128), Memory corruption in V8 (CVE-2016-5129), URL spoofing (CVE-2016-5130), and Use-after-free in libxml (CVE-2016-5131).

Of the Medium risk issues, two were awarded with $1,000 bounties each (CVE-2016-5132: limited same-origin bypass in Service Workers; and CVE-2016-5133: origin confusion in proxy authentication) and two were awarded $500 each (CVE-2016-5134: URL leakage via PAC script; and CVE-2016-5135: Content-Security-Policy bypass). The bounties for the remaining two (CVE-2016-5136: use after free in extensions; and CVE-2016-5137: history sniffing with HSTS and CSP) are yet to be disclosed.

Additionally, Google announced that its internal security work was responsible for discovering and patching a variety of other vulnerabilities.

Advertisement. Scroll to continue reading.

Fixes for all of the security issues mentioned above, as well as for those that Google hasn’t revealed as of now, are included in the Chrome 52.0.2743.82 release. The new browser version is available for Windows, Mac and Linux users.

The previous major Chrome release (version 51.0.2704.63) arrived in late May with patches for 42 vulnerabilities inside. At the time, Google announced it paid $65,000 in bug bounties for 23 flaws disclosed by external researchers. Also in May, Google resolved multiple High risk vulnerabilities in Chrome 50.

Related: Google Tightens Security Rules for Chrome Extensions

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.