Security Experts:

Google Patches Over Dozen Serious Flaws in Chrome

Google announced on Tuesday the availability of Chrome 47, a version that brings 41 security fixes, including more than a dozen serious vulnerabilities reported by external researchers.

One or more anonymous researchers have been awarded the largest amount of money, taking home a total of $31,337 for three use-after-free vulnerabilities in AppCache (CVE-2015-6765, CVE-2015-6766, CVE-2015-6767).

Mariusz Mlynski earned a total of $30,500 for reporting four cross-origin bypass flaws in DOM (CVE-2015-6768, CVE-2015-6769, CVE-2015-6770, CVE-2015-6772).

Guang Gong of the Chinese security firm Qihoo 360 was awarded $7,500 for the out-of-bounds access issue (CVE-2015-6764) he reported in November at the Mobile Pwn2Own competition in Tokyo.

Other high severity issues patched with the release of Chrome 47 include out-of-bounds access vulnerabilities in V8, Skia, and PDFium, use-after-free flaws in Extensions and DOM, and a type confusion in PDFium. These vulnerabilities, which earned researchers between $3,000 and $7,500, have been assigned the following CVE identifiers: CVE-2015-6771, CVE-2015-6773, CVE-2015-6774, CVE-2015-6775, CVE-2015-6776 and CVE-2015-6777.

External researchers also reported half a dozen medium severity issues, including an out-of-bounds access in PDFium, a scheme bypass in PDFium, a use-after-free in Infobars, an integer overflow in Sfntly, a content spoofing bug in Omnibox, and a signature validation issue in Android Crazy Linker.

The researchers known as “cloudfuzzer” and “miaubiz,” Atte Kettunen of OUSPG, Hanno Böck, Long Liu of the Qihoo 360 Vulcan Team, Karl Skomski, Til Jasper Ullrich, Khalil Zhani, Luan Herrera, and Michal Bednarski have been credited for reporting medium and high impact vulnerabilities. As usual, some of the flaws patched with the latest version of Chrome have been identified by Google’s own security team.

So far, Google has paid out a total of more than $100,000 to researchers who contributed to making Chrome 47 more secure, but the amount could increase after all reports go through the search giant’s reward panel.

Chrome developers announced this week their intention to end support for the web browser on 32-bit Linux in early March 2016. Chrome will continue to work, but it will not receive updates and security fixes.

Related Reading: Zerodium Publishes Prices for Zero-Day Exploits

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.