Google announced on Tuesday the availability of Chrome 47, a version that brings 41 security fixes, including more than a dozen serious vulnerabilities reported by external researchers.
One or more anonymous researchers have been awarded the largest amount of money, taking home a total of $31,337 for three use-after-free vulnerabilities in AppCache (CVE-2015-6765, CVE-2015-6766, CVE-2015-6767).
Mariusz Mlynski earned a total of $30,500 for reporting four cross-origin bypass flaws in DOM (CVE-2015-6768, CVE-2015-6769, CVE-2015-6770, CVE-2015-6772).
Guang Gong of the Chinese security firm Qihoo 360 was awarded $7,500 for the out-of-bounds access issue (CVE-2015-6764) he reported in November at the Mobile Pwn2Own competition in Tokyo.
Other high severity issues patched with the release of Chrome 47 include out-of-bounds access vulnerabilities in V8, Skia, and PDFium, use-after-free flaws in Extensions and DOM, and a type confusion in PDFium. These vulnerabilities, which earned researchers between $3,000 and $7,500, have been assigned the following CVE identifiers: CVE-2015-6771, CVE-2015-6773, CVE-2015-6774, CVE-2015-6775, CVE-2015-6776 and CVE-2015-6777.
External researchers also reported half a dozen medium severity issues, including an out-of-bounds access in PDFium, a scheme bypass in PDFium, a use-after-free in Infobars, an integer overflow in Sfntly, a content spoofing bug in Omnibox, and a signature validation issue in Android Crazy Linker.
The researchers known as “cloudfuzzer” and “miaubiz,” Atte Kettunen of OUSPG, Hanno Böck, Long Liu of the Qihoo 360 Vulcan Team, Karl Skomski, Til Jasper Ullrich, Khalil Zhani, Luan Herrera, and Michal Bednarski have been credited for reporting medium and high impact vulnerabilities. As usual, some of the flaws patched with the latest version of Chrome have been identified by Google’s own security team.
So far, Google has paid out a total of more than $100,000 to researchers who contributed to making Chrome 47 more secure, but the amount could increase after all reports go through the search giant’s reward panel.
Chrome developers announced this week their intention to end support for the web browser on 32-bit Linux in early March 2016. Chrome will continue to work, but it will not receive updates and security fixes.
Related Reading: Zerodium Publishes Prices for Zero-Day Exploits
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
