CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Fixes 159 Security Bugs With Release of Chrome 38

Google announced on Tuesday the availability of Chrome 38 for Windows, Linux and Mac. The latest version of the Web browser patches a total of 159 security vulnerabilities.

Google announced on Tuesday the availability of Chrome 38 for Windows, Linux and Mac. The latest version of the Web browser patches a total of 159 security vulnerabilities.

In late September, Google revealed its intention to start paying more money to researchers who contribute to making Chrome more secure. More precisely, it promised between $500 and $15,000 per bug. The company has kept its promise and, on this occasion, it rewarded researchers who reported Chrome vulnerabilities with approximately $75,000.

According to the company, of the total of 159 flaws fixed in Chrome 38, 113 are relatively minor bugs found with the aid of MemorySanitizer, a tool designed to detect uninitialized memory reads in C/C++ programs.

The largest reward was handed out to Jüri Aedla, who identified a combination of V8 and IPC bugs that can lead to remote code execution outside the sandbox (CVE-2014-3188). Aedla has been rewarded with $27,633.70 for finding this critical issue which affects both Chrome and Chrome OS. The researcher also got $4,500 for an information leak in V8 (CVE-2014-3195).

According to Google’s new payment scheme, the maximum reward for a well-documented sandbox escape is $15,000. However, the company pays much more for particularly great reports. In August, the company paid $30,000 to a researcher known as lokihardt@asrt for a combination of bugs in V8, IPC, sync, and extensions that could have led to remote code execution outside the sandbox.

The researcher using the online moniker “cloudfuzzer” earned a total of $11,000 for identifying four high-severity vulnerabilities.  The expert uncovered three use-after-free issues in Events, Rendering and DOM, and an out-of-bounds read in PDFium.

James Forshaw was awarded $3,000 for a permission bypass in the Windows sandbox. Miaubiz and Takeshi Terada each received $1,500 for a high-severity type confusion in session management, respectively a medium-severity information leak in XSS Auditor.

Atte Kettunen of OUSPG and Collin Payne were given $1,500 and $2,000 for findings some vulnerabilities. However, Google gave them an additional $23,000 for working with the company during the development cycle to ensure that security flaws don’t make their way to the stable channel.

Advertisement. Scroll to continue reading.

Chrome for iOS has also been updated. In addition to better support for iPhone 6, the latest release also includes a fix for a low-severity issue with FaceTime and FaceTime-audio URL schemes identified by Matias Brutti.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.