Google continued its onslaught of summer Chrome patches Wednesday when it pushed out version 53 of the browser, fixing 33 bugs, half of which were rated “high” severity by the company.
Google paid at least $56,500 in rewards to researchers who discovered vulnerabilities in the browser this time through. The company is still determining how much to award several researchers who found bugs, while two vulnerabilities marked Wednesday were ultimately not applicable to the company’s bug bounty program.
The vulnerabilities that received the highest payout – $7,500 each – were two cross site scripting vulnerabilities in Blink, a web browser engine present in the browser, and a script injection vulnerability in the browser’s extensions functionality. The rest of the vulnerabilities branded “high” severity were mostly heap overflows in PDFium, Chrome’s default PDF reader.
The update also fixes two address-spoofing vulnerabilities, including one uncovered by researcher Rafay Baloch a few weeks ago. The flaw stemmed from how browsers’ address bars mishandled Unicode characters such as “|” in Arabic and Hebrew. Mozilla paid Baloch a $1,000 reward in August for disclosing how the issue affected Firefox. It appears the vulnerability, marked “medium” severity by Chrome’s Security Team, netted Baloch $3,000 from Google. Details around the second address spoofing vulnerability, credited to “anonymous” are scant.
Chrome has seen a steady uptick in patches over the past few months. Last month’s update – version 52 – saw 48 bugs fixed by the company; May’s update saw 42 bugs fixed.
Here’s the full list of bugs fixed in Chrome 53 that earned rewards:
[$7500][628942] High CVE-2016-5147: Universal XSS in Blink. Credit to anonymous
[$7500][621362] High CVE-2016-5148: Universal XSS in Blink. Credit to anonymous
[$7500][573131] High CVE-2016-5149: Script injection in extensions. Credit to Max Justicz (http://web.mit.edu/maxj/www/)
[$5000][637963] High CVE-2016-5150: Use after free in Blink. Credit to anonymous
[$5000][634716] High CVE-2016-5151: Use after free in PDFium. Credit to anonymous
[$5000][629919] High CVE-2016-5152: Heap overflow in PDFium. Credit to GiWan Go of Stealien
[$3500][631052] High CVE-2016-5153: Use after destruction in Blink. Credit to Atte Kettunen of OUSPG
[$3000][633002] High CVE-2016-5154: Heap overflow in PDFium. Credit to anonymous
[$3000][630662] High CVE-2016-5155: Address bar spoofing. Credit to anonymous
[$3000][625404] High CVE-2016-5156: Use after free in event bindings. Credit to jinmo123
[$TBD][632622] High CVE-2016-5157: Heap overflow in PDFium. Credit to anonymous
[$TBD][628890] High CVE-2016-5158: Heap overflow in PDFium. Credit to GiWan Go of Stealien
[$TBD][628304] High CVE-2016-5159: Heap overflow in PDFium. Credit to GiWan Go of Stealien
[$n/a][622420] Medium CVE-2016-5161: Type confusion in Blink. Credit to 62600BCA031B9EB5CB4A74ADDDD6771E working with Trend Micro’s Zero Day Initiative
[$n/a][589237] Medium CVE-2016-5162: Extensions web accessible resources bypass. Credit to Nicolas Golubovic
[$3000][609680] Medium CVE-2016-5163: Address bar spoofing. Credit to Rafay Baloch PTCL Etisalat (http://rafayhackingarticles.net)
[$2000][637594] Medium CVE-2016-5164: Universal XSS using DevTools. Credit to anonymous
[$1000][618037] Medium CVE-2016-5165: Script injection in DevTools. Credit to Gregory Panakkal
[$TBD][616429] Medium CVE-2016-5166: SMB Relay Attack via Save Page As. Credit to Gregory Panakkal
[$500][576867] Low CVE-2016-5160: Extensions web accessible resources bypass. Credit to @l33terally, FogMarks.com (@FogMarks)