Google pushed out the latest version of Chrome Thursday afternoon, fixing five issues, four of them critical.
The update remedies an out-of-bounds read in Chrome’s open source JavaScript engine V8, two use-after-free vulnerabilities – one in Navigation and one in Extensions – and a buffer overflow in the libANGLE library.
The V8 vulnerability fetched Wen Xu, a researcher with Tencent KeenLab, $7500, while the other bugs netted the two additional researchers, credited as anonymous, a total of $10,500.
Fresh from last week’s Pwn2Own competition in Vancouver, JungHoon Lee, a.k.a. lokihardt, was credited for finding the buffer overflow vulnerability, but according to Google’s release update, it doesn’t appear he was awarded a bounty for his discovery. Lee attempted to demonstrate a code execution attack on Chrome on the competition’s second day, but his attempt failed.
Hackers with 360Vulcan Team partially broke Chrome on Pwn2Own’s first day by demonstrating a successful code execution attack against the browser in the SYSTEM context. Since the vulnerability had previously been reported to Google, they only received partial credit. It’s unclear when the Chrome bug, an out-of-bounds bug which the team chained together with two Flash vulnerabilities and a Windows Kernel vulnerability, will be fixed.
Google claims it fixed also fixed a handful of minor bugs in this version of Chrome that were found by its own internal security team, including multiple vulnerabilities in V8.
The full list of fixes and CVE numbers for the update, which graduates the browser to version 49.0.2623.108 for Windows, Mac, and Linux are as follows:
- [$7500] [594574] High CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu from Tencent KeenLab.
- [$5500] [590284] High CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous.
- [$5000] [590455] High CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous.
- [595836] High CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt working with HP’s Zero Day Initiative / Pwn2Own.
- [597518] CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.33)
Last week the company announced that it was adding a download protection bypass bounty to its Security Reward Program for any methods that bypass Chrome’s Safe Browsing download protection. The company acknowledged that since it introduced its highest reward, $50,000, it hasn’t had a successful submission, and that it was upping that reward to $100,000.