Google announced on Tuesday the availability of Chrome 38 for Windows, Linux and Mac. The latest version of the Web browser patches a total of 159 security vulnerabilities.
In late September, Google revealed its intention to start paying more money to researchers who contribute to making Chrome more secure. More precisely, it promised between $500 and $15,000 per bug. The company has kept its promise and, on this occasion, it rewarded researchers who reported Chrome vulnerabilities with approximately $75,000.
According to the company, of the total of 159 flaws fixed in Chrome 38, 113 are relatively minor bugs found with the aid of MemorySanitizer, a tool designed to detect uninitialized memory reads in C/C++ programs.
The largest reward was handed out to Jüri Aedla, who identified a combination of V8 and IPC bugs that can lead to remote code execution outside the sandbox (CVE-2014-3188). Aedla has been rewarded with $27,633.70 for finding this critical issue which affects both Chrome and Chrome OS. The researcher also got $4,500 for an information leak in V8 (CVE-2014-3195).
According to Google’s new payment scheme, the maximum reward for a well-documented sandbox escape is $15,000. However, the company pays much more for particularly great reports. In August, the company paid $30,000 to a researcher known as [email protected] for a combination of bugs in V8, IPC, sync, and extensions that could have led to remote code execution outside the sandbox.
The researcher using the online moniker “cloudfuzzer” earned a total of $11,000 for identifying four high-severity vulnerabilities. The expert uncovered three use-after-free issues in Events, Rendering and DOM, and an out-of-bounds read in PDFium.
James Forshaw was awarded $3,000 for a permission bypass in the Windows sandbox. Miaubiz and Takeshi Terada each received $1,500 for a high-severity type confusion in session management, respectively a medium-severity information leak in XSS Auditor.
Atte Kettunen of OUSPG and Collin Payne were given $1,500 and $2,000 for findings some vulnerabilities. However, Google gave them an additional $23,000 for working with the company during the development cycle to ensure that security flaws don’t make their way to the stable channel.
Chrome for iOS has also been updated. In addition to better support for iPhone 6, the latest release also includes a fix for a low-severity issue with FaceTime and FaceTime-audio URL schemes identified by Matias Brutti.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
Latest News
- What if the Current AI Hype Is a Dead End?
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- SBOMs – Software Supply Chain Security’s Future or Fantasy?
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
