Connect with us

Hi, what are you looking for?



Google Fixes 159 Security Bugs With Release of Chrome 38

Google announced on Tuesday the availability of Chrome 38 for Windows, Linux and Mac. The latest version of the Web browser patches a total of 159 security vulnerabilities.

Google announced on Tuesday the availability of Chrome 38 for Windows, Linux and Mac. The latest version of the Web browser patches a total of 159 security vulnerabilities.

In late September, Google revealed its intention to start paying more money to researchers who contribute to making Chrome more secure. More precisely, it promised between $500 and $15,000 per bug. The company has kept its promise and, on this occasion, it rewarded researchers who reported Chrome vulnerabilities with approximately $75,000.

According to the company, of the total of 159 flaws fixed in Chrome 38, 113 are relatively minor bugs found with the aid of MemorySanitizer, a tool designed to detect uninitialized memory reads in C/C++ programs.

The largest reward was handed out to Jüri Aedla, who identified a combination of V8 and IPC bugs that can lead to remote code execution outside the sandbox (CVE-2014-3188). Aedla has been rewarded with $27,633.70 for finding this critical issue which affects both Chrome and Chrome OS. The researcher also got $4,500 for an information leak in V8 (CVE-2014-3195).

According to Google’s new payment scheme, the maximum reward for a well-documented sandbox escape is $15,000. However, the company pays much more for particularly great reports. In August, the company paid $30,000 to a researcher known as [email protected] for a combination of bugs in V8, IPC, sync, and extensions that could have led to remote code execution outside the sandbox.

The researcher using the online moniker “cloudfuzzer” earned a total of $11,000 for identifying four high-severity vulnerabilities.  The expert uncovered three use-after-free issues in Events, Rendering and DOM, and an out-of-bounds read in PDFium.

James Forshaw was awarded $3,000 for a permission bypass in the Windows sandbox. Miaubiz and Takeshi Terada each received $1,500 for a high-severity type confusion in session management, respectively a medium-severity information leak in XSS Auditor.

Advertisement. Scroll to continue reading.

Atte Kettunen of OUSPG and Collin Payne were given $1,500 and $2,000 for findings some vulnerabilities. However, Google gave them an additional $23,000 for working with the company during the development cycle to ensure that security flaws don’t make their way to the stable channel.

Chrome for iOS has also been updated. In addition to better support for iPhone 6, the latest release also includes a fix for a low-severity issue with FaceTime and FaceTime-audio URL schemes identified by Matias Brutti.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.