Google has patched a high-risk vulnerability in its Chrome browser that allows an attacker to escape the Chrome sandbox.
That vulnerability is one of 48 bugs fixed in version 52 of Chrome released Wednesday.
Four dozen of those flaws are rated as high risks and Google paid out more than $22,000 in rewards to researchers who reported vulnerabilities to the company. Payment on an additional 11 bugs found by bug bounty hunters is pending, Google said.
Among the other serious vulnerabilities is a URL spoofing bug on iOS, a heap-buffer-overflow and four use-after-free vulnerabilities.
The bugs were found and reported via the Chrome bug bounty program. Longtime bug hunter Pinkie Pie earned $15,000 for a sandbox escape tied to Chrome’s Pepper Plugin API (PPAPI) component of the browser that aims to make plugins more secure and portable.
Google’s sandbox technology isolates system processes in an effort to prevent malware from escaping the Chrome browser and infecting the host computer or allowing it to steal information from the PC or execute remote code. This is just the latest out of many out-of-sandbox escape flaws fixed by Google in previous browser updates. It’s also just the latest sandbox escape flaw found by prolific hacker Pinkie Pie who earned $60,000 in 2012 at CanSecWest for finding several bugs including a sandbox escape bug. The following year Pinkie Pie earned another $50,000 at the Mobile Pwn2Own hacking contest for bugs once again tied to the Chrome sandbox escape bug.
Here are the public bugs fixed in Chrome 52:
[$15000][610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie
[$3000][622183] High CVE-2016-1707: URL spoofing on iOS. Credit to xisigr of Tencent’s Xuanwu Lab
[$TBD][613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan
[$TBD][614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team
[$TBD][616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer
[$TBD][619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous
[$TBD][620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin
[$TBD][623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar
[$TBD][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer
[$1000][607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly
[$1000][613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor
[$500][593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone
[$500][605451] Medium CVE-2016-5135: Content-Security-Policy bypass. Credit to kingxwy
[$TBD][625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu
[$TBD][625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu