Google Fixes 11 Flaws in Chrome

Google Chrome 26, the latest version of the company’s browser, is out and it contains a number of security patches, most notably a fix for a high-priority use-after-free vulnerability in the Web Audio component of the browser.

Google Chrome 26, the latest version of the company’s browser, is out and it contains a number of security patches, most notably a fix for a high-priority use-after-free vulnerability in the Web Audio component of the browser.

That vulnerability, discovered and reported by Atte Kettunen, is the only one in Chrome 26 for which Google paid a bug bounty as part of its reward program. All of the other vulnerabilities were discovered by members of the company’s own security team or the bugs just didn’t qualify for a reward. This continues a somewhat recent trend of the number of vulnerabilities qualifying for rewards from Google declining as it becomes more and more difficult to find serious bugs in the browser.Chrome

Google has raised the amount of money paid for serious vulnerabilities in order to attract more submissions from security researchers, but the improved defenses in Chrome have made life more difficult for would-be submitters.

Here is the full list of vulnerabilities patched by Google in Chrome 26:

  • [$1000] [172342High CVE-2013-0916: Use-after-free in Web Audio. Credit to Atte Kettunen of OUSPG.
  • [180909Low CVE-2013-0917: Out-of-bounds read in URL loader. Credit to Google Chrome Security Team (Cris Neckar).
  • [180555Low CVE-2013-0918: Do not navigate dev tools upon drag and drop. Credit to Vsevolod Vlasov of the Chromium development community.
  • [Linux only] [178760] Medium CVE-2013-0919: Use-after-free with pop-up windows in extensions. Credit to Google Chrome Security Team (Mustafa Emre Acer).
  • [177410Medium CVE-2013-0920: Use-after-free in extension bookmarks API. Credit to Google Chrome Security Team (Mustafa Emre Acer).
  • [174943High CVE-2013-0921: Ensure isolated web sites run in their own processes.
  • [174129Low CVE-2013-0922: Avoid HTTP basic auth brute force attempts. Credit to “t3553r”.
  • [169981] [169972] [169765Medium CVE-2013-0923: Memory safety issues in the USB Apps API. Credit to Google Chrome Security Team (Mustafa Emre Acer).
  • [169632Low CVE-2013-0924: Check an extension’s permissions API usage again file permissions. Credit to Benjamin Kalman of the Chromium development community.
  • [168442Low CVE-2013-0925: Avoid leaking URLs to extensions without the tabs permissions. Credit to Michael Vrable of Google.
  • [112325Medium CVE-2013-0926: Avoid pasting active tags in certain situations. Credit to Subho Halder, Aditya Gupta, and Dev Kar of xys3c (xysec.com).

Suggested articles