Google released an updated version of its Chrome browser on Thursday to fix nine high-severity vulnerabilities that if exploited could allow adversaries to take control of targeted systems. As part of the update, Google thanked nearly two dozen bug hunters with bug bounty payments totaling $38,000.
Topping the list of vulnerabilities patched are; a memory corruption flaw in the V8 JavaScript engine, a use after free bug found in Google’s Almost Native Graphics Layer Engine, and an out-of-bounds write flaw found in the PDFium component of the Chrome browser.
Google said its Chrome version 57.0.2987.98 update for Windows, Mac and Linux includes a number of fixes and improvements; and will roll out them over the coming days and weeks. Beta Chrome 57 was introduced in February and included new features CSS grid layout, improved add to home screen, Media Session API. The Chrome 57.0.2987.98 was released to Google’s Stable channel, which means the software is fully tested by the Chrome OS team.
In November, Google said it removed support for SHA-1 certificates in Chrome 56, but will distinguish between certificates chained to a public Certificate Authority and those chained to local CAs. However, with the introduction of Chrome 57, released to the Stable channel in March, Google said at the time, “Features which require a secure origin, such as geolocation, will continue to work, however pages will be displayed as ‘neutral, lacking security.’ Without this policy set, SHA-1 certificates that chain to locally installed roots will not be trusted starting with Chrome 57.”
Google did not mention the additional SHA-1 notification feature Thursday with the rollout of Chrome 57.0.2987.98. However, it said more information regarding Chrome 57 is pending via its Chrome and Chromium blog.
The Chrome security holes were disclosed to Google’s Chromium Project and its bug bounty program. The largest bounty paid was for $7,500 and paid to researcher Brendon Tiszka for the (CVE-2017-5030) memory corruption flaw in the V8 JavaScript engine.
The second highest bounty of $5000 was paid to researcher Looben Yang for the use after free bug (CVE-2017-5031) found in Google’s Almost Native Graphics Layer Engine.