Google has plugged 11 security holes in its latest update for the Chrome browser, including one that garnered a critical rating.
Details of the bugs remain mostly under wraps, as is Google’s usual behavior. But based on what is known, the ‘critical’ vulnerability is a memory corruption in vertex handing issue discovered by Michael Braithwaite of Turbulenz Limited. According to Google, the flaw only affects Chrome users running Windows. The find earned Braithwaite a $1,337 reward.
Of the remaining 10 vulnerabilities, nine are rated ‘high.’ The final one is rated ‘medium.’
Here is a complete list of the vulnerabilities patched in Chrome 13.0.782.215:
• [$1000] [Windows only] [72492] Medium CVE-2011-2822: URL parsing confusion on the command line. Credit to Vladimir Vorontsov, ONsec company.
• [82552] High CVE-2011-2823: Use-after-free in line box handling. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by miaubiz.
• [$1000] [88216] High CVE-2011-2824: Use-after-free with counter nodes. Credit to miaubiz.
• [88670] High CVE-2011-2825: Use-after-free with custom fonts. Credit to wushi of team509 reported through ZDI (ZDI-CAN-1283), plus independent later discovery by miaubiz.
• [$1000] [89402] High CVE-2011-2821: Double free in libxml XPath handling. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
• [$1000] [87453] High CVE-2011-2826: Cross-origin violation with empty origins. Credit to Sergey Glazunov.
• [$1337] [Windows only] [89836] Critical CVE-2011-2806: Memory corruption in vertex handing. Credit to Michael Braithwaite of Turbulenz Limited.
• [$1000] [90668] High CVE-2011-2827: Use-after-free in text searching. Credit to miaubiz.
• [91517] High CVE-2011-2828: Out-of-bounds write in v8. Credit to Google Chrome Security Team (SkyLined).
• [$1500] [32-bit only] [91598] High CVE-2011-2829: Integer overflow in uniform arrays. Credit to Sergey Glazunov. • [$1000] [Linux only] [91665] High CVE-2011-2839: Buggy memset() in PDF. Credit to Aki Helin of OUSPG.