Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Over Dozen Serious Flaws in Chrome

Google announced on Tuesday the availability of Chrome 47, a version that brings 41 security fixes, including more than a dozen serious vulnerabilities reported by external researchers.

Google announced on Tuesday the availability of Chrome 47, a version that brings 41 security fixes, including more than a dozen serious vulnerabilities reported by external researchers.

One or more anonymous researchers have been awarded the largest amount of money, taking home a total of $31,337 for three use-after-free vulnerabilities in AppCache (CVE-2015-6765, CVE-2015-6766, CVE-2015-6767).

Mariusz Mlynski earned a total of $30,500 for reporting four cross-origin bypass flaws in DOM (CVE-2015-6768, CVE-2015-6769, CVE-2015-6770, CVE-2015-6772).

Guang Gong of the Chinese security firm Qihoo 360 was awarded $7,500 for the out-of-bounds access issue (CVE-2015-6764) he reported in November at the Mobile Pwn2Own competition in Tokyo.

Other high severity issues patched with the release of Chrome 47 include out-of-bounds access vulnerabilities in V8, Skia, and PDFium, use-after-free flaws in Extensions and DOM, and a type confusion in PDFium. These vulnerabilities, which earned researchers between $3,000 and $7,500, have been assigned the following CVE identifiers: CVE-2015-6771, CVE-2015-6773, CVE-2015-6774, CVE-2015-6775, CVE-2015-6776 and CVE-2015-6777.

External researchers also reported half a dozen medium severity issues, including an out-of-bounds access in PDFium, a scheme bypass in PDFium, a use-after-free in Infobars, an integer overflow in Sfntly, a content spoofing bug in Omnibox, and a signature validation issue in Android Crazy Linker.

The researchers known as “cloudfuzzer” and “miaubiz,” Atte Kettunen of OUSPG, Hanno Böck, Long Liu of the Qihoo 360 Vulcan Team, Karl Skomski, Til Jasper Ullrich, Khalil Zhani, Luan Herrera, and Michal Bednarski have been credited for reporting medium and high impact vulnerabilities. As usual, some of the flaws patched with the latest version of Chrome have been identified by Google’s own security team.

So far, Google has paid out a total of more than $100,000 to researchers who contributed to making Chrome 47 more secure, but the amount could increase after all reports go through the search giant’s reward panel.

Chrome developers announced this week their intention to end support for the web browser on 32-bit Linux in early March 2016. Chrome will continue to work, but it will not receive updates and security fixes.

Related Reading: Zerodium Publishes Prices for Zero-Day Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.