Google has plugged 50 security vulnerabilities in the latest update to the Chrome browser.
Among the issues fixed in Chrome 37 are a number of bugs that can be used together to break out of the Chrome sandbox and execute code remotely. That discovery earned the researcher behind it a $30,000 bug bounty. Several other vulnerabilities earned researchers between $500 and $4,000.
Here are some of the bugs fixed in the update and their associated rewards:
[$30000][386988] Critical CVE-2014-3176, CVE-2014-3177: A special reward to [email protected] for a combination of bugs in V8, IPC, sync, and extensions that can lead to remote code execution outside of the sandbox.
[$2000][369860] High CVE-2014-3168: Use-after-free in SVG. Credit to cloudfuzzer.
[$2000][387389] High CVE-2014-3169: Use-after-free in DOM. Credit to Andrzej Dyjak.
[$1000][390624] High CVE-2014-3170: Extension permission dialog spoofing. Credit to Rob Wu.
[$4000][390928] High CVE-2014-3171: Use-after-free in bindings. Credit to cloudfuzzer.
[$1500][367567] Medium CVE-2014-3172: Issue related to extension debugging. Credit to Eli Grey.
[$2000][376951] Medium CVE-2014-3173: Uninitialized memory read in WebGL. Credit to jmuizelaar.
[$500][389219] Medium CVE-2014-3174: Uninitialized memory read in Web Audio. Credit to Atte Kettunen from OUSPG.
“We would also like to thank Collin Payne, Christoph Diehl, Sebastian Mauer, Atte Kettunen, and cloudfuzzer for working with us during the development cycle to prevent security bugs from ever reaching the stable channel,” according to Google. “$8000 in additional rewards were issued.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
