CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Over Dozen Serious Flaws in Chrome

Google announced on Tuesday the availability of Chrome 47, a version that brings 41 security fixes, including more than a dozen serious vulnerabilities reported by external researchers.

Google announced on Tuesday the availability of Chrome 47, a version that brings 41 security fixes, including more than a dozen serious vulnerabilities reported by external researchers.

One or more anonymous researchers have been awarded the largest amount of money, taking home a total of $31,337 for three use-after-free vulnerabilities in AppCache (CVE-2015-6765, CVE-2015-6766, CVE-2015-6767).

Mariusz Mlynski earned a total of $30,500 for reporting four cross-origin bypass flaws in DOM (CVE-2015-6768, CVE-2015-6769, CVE-2015-6770, CVE-2015-6772).

Guang Gong of the Chinese security firm Qihoo 360 was awarded $7,500 for the out-of-bounds access issue (CVE-2015-6764) he reported in November at the Mobile Pwn2Own competition in Tokyo.

Other high severity issues patched with the release of Chrome 47 include out-of-bounds access vulnerabilities in V8, Skia, and PDFium, use-after-free flaws in Extensions and DOM, and a type confusion in PDFium. These vulnerabilities, which earned researchers between $3,000 and $7,500, have been assigned the following CVE identifiers: CVE-2015-6771, CVE-2015-6773, CVE-2015-6774, CVE-2015-6775, CVE-2015-6776 and CVE-2015-6777.

External researchers also reported half a dozen medium severity issues, including an out-of-bounds access in PDFium, a scheme bypass in PDFium, a use-after-free in Infobars, an integer overflow in Sfntly, a content spoofing bug in Omnibox, and a signature validation issue in Android Crazy Linker.

The researchers known as “cloudfuzzer” and “miaubiz,” Atte Kettunen of OUSPG, Hanno Böck, Long Liu of the Qihoo 360 Vulcan Team, Karl Skomski, Til Jasper Ullrich, Khalil Zhani, Luan Herrera, and Michal Bednarski have been credited for reporting medium and high impact vulnerabilities. As usual, some of the flaws patched with the latest version of Chrome have been identified by Google’s own security team.

So far, Google has paid out a total of more than $100,000 to researchers who contributed to making Chrome 47 more secure, but the amount could increase after all reports go through the search giant’s reward panel.

Advertisement. Scroll to continue reading.

Chrome developers announced this week their intention to end support for the web browser on 32-bit Linux in early March 2016. Chrome will continue to work, but it will not receive updates and security fixes.

Related Reading: Zerodium Publishes Prices for Zero-Day Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.