Security Experts:

Google Patches High Security Flaws in Chrome 50

Google on Thursday released an updated version of Chrome 50 for Windows, Mac, and Linux, to resolve 9 security vulnerabilities in the popular web browser.

Six of the nine security issues were reported by external researchers, including four High risk flaws and two Medium risk ones. Google revealed that it paid $14,000 in bug bounties to the researchers who discovered these vulnerabilities in Chrome 50, awarding every High severity flaw with a $3000 bounty, while paying $1000 for each of the two Medium severity flaws.

The first of the High risk bugs resolved in this update was an Out-of-bounds write in Blink (CVE-2016-1660), credited to Atte Kettunen of OUSPG, while the second was a memory corruption in cross-process frames (CVE-2016-1661) discovered by Wadih Matar.

Google also patched a Use-after-free bug in extensions (CVE-2016-1662), which was reported by Rob Wu, along with a Use-after-free issue in Blink’s V8 bindings (CVE-2016-1663), which was reported by an anonymous researcher.

The update for Chrome 50 also resolves an address bar spoofing (CVE-2016-1664) reported by Wadih Matar, along with an information leak in V8 (CVE-2016-1665), discovered by gksgudtjr456. Both vulnerabilities were deemed Medium risk.

Following the update, users will run Chrome 50.0.2661.94 on their Windows, Mac, or Linux machines. As usual, users are advised to install the software update as soon as possible to ensure their computers remain protected.

Google released Chrome 50 (build 50.0.2661.75) in the stable channel on April 14, when it patched 20 security flaws, including 8 vulnerabilities that earned external researchers a total of $17,500 in bug bounties.

Two of those issues were rated High severity, namely a Universal XSS (Cross-Site Scripting) in extension bindings (CVE-2016-1652), reported by an anonymous researcher, and an Out-of-bounds write in V8 (CVE-2016-1653), credited to Choongwoo Han. The release also patched five Medium severity flaws and a Low risk bug.

In early March, Google released Chrome 49 in the stable channel for Windows, Mac and Linux, with 26 security fixes inside. Only one week later, the company issued patches for three high risk flaws in the browser. In late March, Google released Chrome 49.0.2623.108 to patch five security issues, including four high risk vulnerabilities reported by external developers.

Earlier this week, Mozilla released Firefox 46 in the stable channel and addressed four critical vulnerabilities in the browser. These memory safety bugs affected the browser engine and Mozilla says that successful exploitation could have resulted in crashes and, in some circumstances, arbitrary code execution.

Related: Google Offers $100,000 for Chromebook Hack

view counter