Google released a stable channel update for its Chrome browser yesterday, resolving 12 vulnerabilities, one of which was considered ‘critical’, Google’s most severe rating, ten of which received second most severe ‘high’ ratings, and one receiving a third-in-line ‘medium’ rating.
Google paid out a total of $9,837 in bug bounties to researchers. Collin Payne was the big winner this month, pulling in $2,000 for a Windows-specific, high-rated vulnerability that had to do with a bad handle passed on to renderer (CVE-2013-2854) and an additional $1337 for a use-after-free with workers accessing database APIs (CVE-2013-2860).
Google awarded a researcher named Miaubiz three $1,000 payouts three high-rated bugs: one for a use-after-free in input handling problem (CVE-2013-2856), another for a use-after-free image handling problem (CVE-2013-2857), and the third for a use-after-free with SVG (CVE-2013-2861).
Google awarded its second largest single bug payment to a researcher identified as ‘bobbyholley’ for high-rated cross-origin namespace pollution problem (CVE-2013-2859).
Google also awarded $500 to a researcher named daniel.zulla for reporting a medium-rated memory corruption vulnerability in the developer tools API (CVE-2013-2855); $500 to a ‘cdel921’ for reporting a high-rated use-after-free issue in HTML5 Audio; and $1000 to Atte Kettunen of the Oulu University Secure Programming Group for a high-rated memory corruption problem in Skia GPU handling (CVE-2013-2862).
The highly rated CVE-2013-2865 patche fixed a number of issues found by Google’s security team during internal audits.