Google has fixed more than two dozen vulnerabilities in its Chrome browser and also implemented a defense against the BEAST SSL attack. The bugs fixed in the new version of Chrome include 11 high-severity flaws.
As part of its bug bounty program, Google paid more than $26,000 in rewards to researchers who reported bugs to the company that were fixed in the newest version of the browser. Among the more serious vulnerabilities fixed in Chrome is a series of same-origin policy violations (CVE-2011-3881) that were discovered and reported by a researcher named Sergey Glazunov. That submission alone earned him $12,174 in rewards.
The full list of bugs fixed in Chrome 15.0.874.102:
- [$500] [86758] High CVE-2011-2845: URL bar spoof in history handling. Credit to Jordi Chancel.
- [88949] Medium CVE-2011-3875: URL bar spoof with drag+drop of URLs. Credit to Jordi Chancel.
- [90217] Low CVE-2011-3876: Avoid stripping whitespace at the end of download filenames. Credit to Marc Novak.
- [91218] Low CVE-2011-3877: XSS in appcache internals page. Credit to Google Chrome Security Team (Tom Sepez) plus independent discovery by Juho Nurminen.
- [94487] Medium CVE-2011-3878: Race condition in worker process initialization. Credit to miaubiz.
- [95374] Low CVE-2011-3879: Avoid redirect to chrome scheme URIs. Credit to Masato Kinugawa.
- [95992] Low CVE-2011-3880: Don’t permit as a HTTP header delimiter. Credit to Vladimir Vorontsov, ONsec company.
- [$12174] [96047] [96885] [98053] [99512] [99750] High CVE-2011-3881: Cross-origin policy violations. Credit to Sergey Glazunov.
- [96292] High CVE-2011-3882: Use-after-free in media buffer handling. Credit to Google Chrome Security Team (Inferno).
- [$1000] [96902] High CVE-2011-3883: Use-after-free in counter handling. Credit to miaubiz.
- [97148] High CVE-2011-3884: Timing issues in DOM traversal. Credit to Brian Ryner of the Chromium development community.
- [$6337] [97599] [98064] [98556] [99294] [99880] [100059] High CVE-2011-3885: Stale style bugs leading to use-after-free. Credit to miaubiz.
- [$2000] [98773] [99167] High CVE-2011-3886: Out of bounds writes in v8. Credit to Christian Holler.
- [$1500] [98407] Medium CVE-2011-3887: Cookie theft with javascript URIs. Credit to Sergey Glazunov.
- [$1000] [99138] High CVE-2011-3888: Use-after-free with plug-in and editing. Credit to miaubiz.
- [$2000] [99211] High CVE-2011-3889: Heap overflow in Web Audio. Credit to miaubiz.
- [99553] High CVE-2011-3890: Use-after-free in video source handling. Credit to Ami Fischman of the Chromium development community.
- [100332] High CVE-2011-3891: Exposure of internal v8 functions. Credit to Steven Keuchel of the Chromium development community plus independent discovery by Daniel Divricean.
Chrome was not directly vulnerable to the BEAST SSL attack that was developed by Thai Duong and Juliano Rizzo and disclosed a few weeks ago, but Google made a change to the browser to defend against such attacks anyway.
“Although Chrome is not directly affected by the attack, the NSS network library was updated to include a defense against so-called BEAST. This defense may expose bugs in Brocade hardware. Brocade is working on the issue,” the company said in a blog post.