Google has released another new version of Chrome that fixes a total of 27 different bugs on various platforms. The company paid out $16,500 in bounties to researchers for the vulnerabilities they reported, including one $3,000 payment for a high-severity bug.
The new version of Chrome, version 11.0.696.57, fixes a slew of high-severity vulnerabilities, most notably a URL bar spoofing problem that comprises three separate issues. Some of the vulnerabilities are platform-specific, including a few Linux only bugs.
The $16,500 that Google paid out to researchers for the bugs represents the highest payout from the company for a single version of Chrome. The bugs Google fixed in the new version include:
- [61502] High CVE-2011-1303: Stale pointer in floating object handling. Credit to Scott Hess of the Chromium development community and Martin Barbella.
- [70538] Low CVE-2011-1304: Pop-up block bypass via plug-ins. Credit to Chamal De Silva.
- [Linux / Mac only] [70589] Medium CVE-2011-1305: Linked-list race in database handling. Credit to Kostya Serebryany of the Chromium development community.
- [$500] [71586] Medium CVE-2011-1434: Lack of thread safety in MIME handling. Credit to Aki Helin.
- [72523] Medium CVE-2011-1435: Bad extension with ‘tabs’ permission can capture local files. Credit to Cole Snodgrass.
- [Linux only] [72910] Low CVE-2011-1436: Possible browser crash due to bad interaction with X. Credit to miaubiz.
- [$1000] [73526] High CVE-2011-1437: Integer overflows in float rendering. Credit to miaubiz.
- [$1000] [74653] High CVE-2011-1438: Same origin policy violation with blobs. Credit to kuzzcc.
- [Linux only] [74763] High CVE-2011-1439: Prevent interference between renderer processes. Credit to Julien Tinnes of the Google Security Team.
- [$1000] [75186] High CVE-2011-1440: Use-after-free with <ruby> tag and CSS. Credit to Jose A. Vazquez.
- [$500] [75347] High CVE-2011-1441: Bad cast with floating select lists. Credit to Michael Griffiths.
- [$1000] [75801] High CVE-2011-1442: Corrupt node trees with mutation events. Credit to Sergey Glazunov and wushi of team 509.
- [$1000] [76001] High CVE-2011-1443: Stale pointers in layering code. Credit to Martin Barbella.
- [$500] [Linux only] [76542] High CVE-2011-1444: Race condition in sandbox launcher. Credit to Dan Rosenberg.
- [76646] Medium CVE-2011-1445: Out-of-bounds read in SVG. Credit to wushi of team509.
- [$3000] [76666] [77507] [78031] High CVE-2011-1446: Possible URL bar spoofs with navigation errors and interrupted loads. Credit to kuzzcc.
- [$1000] [76966] High CVE-2011-1447: Stale pointer in drop-down list handling. Credit to miaubiz.
- [$1000] [77130] High CVE-2011-1448: Stale pointer in height calculations. Credit to wushi of team509.
- [$1000] [77346] High CVE-2011-1449: Use-after-free in WebSockets. Credit to Marek Majkowski.
- [77349] Low CVE-2011-1450: Dangling pointers in file dialogs. Credit to kuzzcc.
- [$2000] [77463] High CVE-2011-1451: Dangling pointers in DOM id map. Credit to Sergey Glazunov.
- [$500] [77786] Medium CVE-2011-1452: URL bar spoof with redirect and manual reload. Credit to Jordi Chancel.
- [$1500] [79199] High CVE-2011-1454: Use-after-free in DOM id handling. Credit to Sergey Glazunov.
- [79361] Medium CVE-2011-1455: Out-of-bounds read with multipart-encoded PDF. Credit to Eric Roman of the Chromium development community.
- [79364] High CVE-2011-1456: Stale pointers with PDF forms. Credit to Eric Roman of the Chromium development community.