Google updates its Chrome browser on a very aggressive timeline, often a couple of times a month. Usually, each update includes a handful of security fixes, maybe 12 or 15. On Tuesday, the company released Chrome 38, which patched a staggering 159 vulnerabilities.
The huge majority of those patches–113 of them–fix minor vulnerabilities in the browser, but Google also fixed several high-risk flaws and one critical bug that earned the researcher who reported it a reward of more than $27,000. That reward is for a combination of vulnerabilities in the V8 engine and IPC that can enable an attacker to escape the Chrome sandbox and execute arbitrary code. Researcher Juri Aedla received a reward of $27,633.70 for reporting that series of flaws to Google.
In all, Google awarded more than $52,000 in rewards to researchers who reported vulnerabilities fixed in this release. Among the vulnerabilities that Google patched are four use-after-free flaws rated as high risks. There are two other high-risk vulnerabilities, as well as four medium-rated ones and low-risk flaw. Here’s the full list of bugs fixed in Chrome 38:
[$27633.70] Critical CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and IPC bugs that can lead to remote code execution outside of the sandbox.
[$3000] High CVE-2014-3189: Out-of-bounds read in PDFium. Credit to cloudfuzzer.
[$3000] High CVE-2014-3190: Use-after-free in Events. Credit to cloudfuzzer.
[$3000] High CVE-2014-3191: Use-after-free in Rendering. Credit to cloudfuzzer.
[$2000] High CVE-2014-3192: Use-after-free in DOM. Credit to cloudfuzzer.
[$1500] High CVE-2014-3193: Type confusion in Session Management. Credit to miaubiz.
[$1500] High CVE-2014-3194: Use-after-free in Web Workers. Credit to Collin Payne.
[$4500] Medium CVE-2014-3195: Information Leak in V8. Credit to Jüri Aedla.
[$3000] Medium CVE-2014-3196: Permissions bypass in Windows Sandbox. Credit to James Forshaw.
[$1500] Medium CVE-2014-3197: Information Leak in XSS Auditor. Credit to Takeshi Terada.
[$1500] Medium CVE-2014-3198: Out-of-bounds read in PDFium. Credit to Atte Kettunen of OUSPG.
[$500] Low CVE-2014-3199: Release Assert in V8 bindings. Credit to Collin Payne.