Google has released Chrome 27, a new version of its browser that includes a long list of security fixes, many of which are for high-risk vulnerabilities. The company handed out more than $14,000 in rewards to researchers who reported bugs fixed in the latest iteration of Chrome.
Google’s security reward program can probably be regarded as one of the more successful ones in the industry. Designed to provide incentives for security researchers to report vulnerabilities in Chrome and Chrome OS to the company privately rather than publicly disclosing them. Rewards can range from a few hundred dollars for minor flaws up to tens of thousands of dollars for especially severe issues.
None of the vulnerabilities addressed in Chrome 27 fit the latter description, with the highest payment being $3133.70 to Atte Kettunen for some memory safety issues. Chrome users should update their browsers as soon as possible to protect themselves against exploits.
Here are the bugs fixed in Chrome 27:
-
[$1000] [235638] High CVE-2013-2837: Use-after-free in SVG. Credit to Sławomir Błażek.
-
[$500] [235311] Medium CVE-2013-2838: Out-of-bounds read in v8. Credit to Christian Holler.
-
[$1500] [230176] High CVE-2013-2839: Bad cast in clipboard handling. Credit to Jon of MWR InfoSecurity.
-
[$1000] [230117] High CVE-2013-2840: Use-after-free in media loader. Credit to Nils of MWR InfoSecurity.
-
[$1000] [227350] High CVE-2013-2841: Use-after-free in Pepper resource handling. Credit to Chamal de Silva.
-
[$2000] [226696] High CVE-2013-2842: Use-after-free in widget handling. Credit to Cyril Cattiaux.
-
[$1000] [222000] High CVE-2013-2843: Use-after-free in speech handling. Credit to Khalil Zhani.
-
[$1000] [196393] High CVE-2013-2844: Use-after-free in style resolution. Credit to Sachin Shinde (@cons0ul).
-
[$1000] [177620] High CVE-2013-2846: Use-after-free in media loader. Credit to Chamal de Silva.
-
[$1000] [176692] High CVE-2013-2847: Use-after-free race condition with workers. Credit to Collin Payne.
-
[$500] [176137] Medium CVE-2013-2848: Possible data extraction with XSS Auditor. Credit to Egor Homakov.
-
[171392] Low CVE-2013-2849: Possible XSS with drag+drop or copy+paste. Credit to Mario Heiderich.