Google has fixed 15 security vulnerabilities in its Chrome browser, including six high-risk bugs. As part of its reward program, Google paid out $6,000 in rewards to researchers who reported flaws.
This is one of the larger groups of bug fixes that Google has included in recent releases of Chrome. The company has been using a rolling update schedule for Chrome, and it often will release new stable versions of the browser with just a few bug fixes or security patches. But this release is a fairly major one.
The full list of fixes in version 16.0.912.63 of Chrome:
- [81753] Medium CVE-2011-3903: Out-of-bounds read in regex matching. Credit to David Holloway of the Chromium development community.
- [95465] Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to Google Chrome Security Team (Inferno).
- [$500] [98809] Medium CVE-2011-3906: Out-of-bounds read in PDF parser. Credit to Aki Helin of OUSPG.
- [$1000] [99016] High CVE-2011-3907: URL bar spoofing with view-source. Credit to Mitja Kolsek of ACROS Security.
- [100863] Low CVE-2011-3908: Out-of-bounds read in SVG parsing. Credit to Aki Helin of OUSPG.
- [101010] Medium CVE-2011-3909: [64-bit only] Memory corruption in CSS property array. Credit to Google Chrome Security Team (scarybeasts) and Chu.
- [101494] Medium CVE-2011-3910: Out-of-bounds read in YUV video frame handling. Credit to Google Chrome Security Team (Cris Neckar).
- [101779] Medium CVE-2011-3911: Out-of-bounds read in PDF. Credit to Google Chrome Security Team (scarybeasts) and Robert Swiecki of the Google Security Team.
- [$1000] [102359] High CVE-2011-3912: Use-after-free in SVG filters. Credit to Arthur Gerkis.
- [$1000] [103921] High CVE-2011-3913: Use-after-free in Range handling. Credit to Arthur Gerkis.
- [$1000] [104011] High CVE-2011-3914: Out-of-bounds write in v8 i18n handling. Credit to Sławomir Błażek.
- [$1000] [104529] High CVE-2011-3915: Buffer overflow in PDF font handling. Credit to Atte Kettunen of OUSPG.
- [$500] [104959] Medium CVE-2011-3916: Out-of-bounds reads in PDF cross references. Credit to Atte Kettunen of OUSPG.
- [105162] Medium CVE-2011-3917: Stack-buffer-overflow in FileWatcher. Credit to Google Chrome Security Team (Marty Barbella).
- [107258] High CVE-2011-3904: Use-after-free in bidi handling. Credit to Google Chrome Security Team (Inferno) and miaubiz.
Also in this version of Chrome, Google added the ability for people to add new users to each installation of the browser. Each individual user can sign in to Chrome and sync their settings, extensions and other add-ons to the Web, giving each person a separate experience.
“Keep in mind that adding new users to Chrome isn’t intended to secure your data against other people using your computer, since it just takes a few clicks to switch between users. We’re providing this functionality as a quick and simple user interface convenience for people who are already sharing Chrome on the same computer today,” Google’s Tim Steele wrote in a blog post.