Google on Wednesday released Chrome 52 in the stable channel and revealed that no less than 48 security vulnerabilities were resolved in the popular web browser.
A total of 11 High risk vulnerabilities disclosed by external researchers were patched in Chrome 52, along with 6 Medium severity ones. However, the Internet giant didn’t reveal the bug bounties paid to all 17 security flaws as of now.
The most important of the patched bugs is a sandbox escape in Pepper Plugin API (PPAPI), the cross-platform API for Native Client-secured web browser plugins. Tracked as CVE-2016-1706, the vulnerability is considered High risk and was discovered by Pinkie Pie, who was awarded $15,000 for the discovery.
Next in line is a URL spoofing on iOS, tracked as CVE-2016-1707 and credited to xisigr of Tencent’s Xuanwu Lab. This High risk bug earned the researcher a $3,000 bounty, Google revealed in its advisory.
The bounties for the remaining 9 High severity flaws will be disclosed at a later date. The issues include a Use-after-free in Extensions (CVE-2016-1708), a Heap-buffer-overflow in sfntly (CVE-2016-1709), Same-origin bypass in Blink (CVE-2016-1710 and CVE-2016-1711), Use-after-free in Blink (CVE-2016-5127), Same-origin bypass in V8 (CVE-2016-5128), Memory corruption in V8 (CVE-2016-5129), URL spoofing (CVE-2016-5130), and Use-after-free in libxml (CVE-2016-5131).
Of the Medium risk issues, two were awarded with $1,000 bounties each (CVE-2016-5132: limited same-origin bypass in Service Workers; and CVE-2016-5133: origin confusion in proxy authentication) and two were awarded $500 each (CVE-2016-5134: URL leakage via PAC script; and CVE-2016-5135: Content-Security-Policy bypass). The bounties for the remaining two (CVE-2016-5136: use after free in extensions; and CVE-2016-5137: history sniffing with HSTS and CSP) are yet to be disclosed.
Additionally, Google announced that its internal security work was responsible for discovering and patching a variety of other vulnerabilities.
Fixes for all of the security issues mentioned above, as well as for those that Google hasn’t revealed as of now, are included in the Chrome 52.0.2743.82 release. The new browser version is available for Windows, Mac and Linux users.
The previous major Chrome release (version 51.0.2704.63) arrived in late May with patches for 42 vulnerabilities inside. At the time, Google announced it paid $65,000 in bug bounties for 23 flaws disclosed by external researchers. Also in May, Google resolved multiple High risk vulnerabilities in Chrome 50.
Related: Google Tightens Security Rules for Chrome Extensions