Google is urging Windows, Mac and Linux users to update their Chrome browser to fix five security holes – two which rate as high severity. Google warned users of the vulnerabilities Wednesday as it released a new version, 50.0.2661.102, of the browser.
The Chrome security holes were found by four bug bounty hunters as part of Google’s Chromium Project and its bug bounty program. One of those bug bounty hunters was noted Polish security researcher Mariusz Mlynski who earned a total of $15,500 for identifying two Chrome browser security vulnerabilities.
One of the browser flaws (CVE-2016-1667) Mlynski found is rated high and described as a “same origin bypass in DOM” vulnerability. The flaw allows remote attackers to bypass the Same Origin Policy via unspecified vectors and is tied to Chrome’s Document Object Model (DOM) platform. The bug earned Mlynski a bounty of $8,000.
Mlynski is a regular top performer at hacking competitions such as Pwn2Own contest and is a prolific bug bounty hunter.
The remaining two medium risk vulnerabilities include a “race condition in loader” vulnerability (CVE-2016-1670) found by an anonymous bug hunter that earned $1,337 for their find. A second medium risk vulnerability (CVE-2016-1671) earned researcher Jann Horn $500 for a “directory traversal using the file scheme on Android.”
Google said it is refraining from releasing more details regarding the bugs until “a majority of users are updated with a fix.”