Google has fixed 50 security vulnerabilities in its Chrome browser, including a critical string of bugs that can allow an attacker to execute arbitrary code outside of the browser’s sandbox.
This is one of the larger batches of fixes that Google has produced for Chrome recently. The company releases frequent updates for the browser and often will push out a new version with only a handful of security patches. But Chrome 37 includes 50 patches, a huge number by any measure. The most notable vulnerability patched in this version is actually a combo platter of several flaws that can be used to escape the Chrome sandbox and gain remote code execution.
The group of vulnerabilities earned the security researcher who reported them a $30,000 bug bounty from Google, one of the higher rewards that the company has given to a researcher outside of its Pwnium competitions. Google’s bug bounties typically fall into the $1,000-$5,000 range, but the company’ security team sometimes will award significantly higher rewards to researchers who report especially critical or creative bugs.
In addition to the critical group of bugs that leads to a sandbox escape, Google also fixed several high-risk vulnerabilities, including three use-after-free flaws. Here’s the full list of bugs that earned rewards and are in Chrome 37:
[$30000] Critical CVE-2014-3176, CVE-2014-3177: A special reward to lokihardt@asrt for a combination of bugs in V8, IPC, sync, and extensions that can lead to remote code execution outside of the sandbox.
[$2000] High CVE-2014-3168: Use-after-free in SVG. Credit to cloudfuzzer.
[$2000] High CVE-2014-3169: Use-after-free in DOM. Credit to Andrzej Dyjak.
[$1000] High CVE-2014-3170: Extension permission dialog spoofing. Credit to Rob Wu.
[$4000] High CVE-2014-3171: Use-after-free in bindings. Credit to cloudfuzzer.
[$1500] Medium CVE-2014-3172: Issue related to extension debugging. Credit to Eli Grey.
[$2000] Medium CVE-2014-3173: Uninitialized memory read in WebGL. Credit to jmuizelaar.
[$500] Medium CVE-2014-3174: Uninitialized memory read in Web Audio. Credit to Atte Kettunen from OUSPG.
Sandbox escapes in Chrome and the other major browsers are relatively rare these days and are valued highly by both researchers and attackers. Researchers see them as valuable learning opportunities and for attackers they can be used to bypass the modern protections in browsers to execute targeted attacks.