Google Patches 10 Chrome Holes, Pays $10k in Bounties

Google said on Thursday that it patched ten security holes in its Chrome Web browser. The company also paid out more than $10,000 in bounties to security researchers who reported the holes. 

Google said on Thursday that it patched ten security holes in its Chrome Web browser. The company also paid out more than $10,000 in bounties to security researchers who reported the holes. 

The updates, released as Chrome 5.0.375.127, include fixes for  two critical vulnerabilities and a work around for another critical vulnerability in a third party component that affects Chrome, according to a post on the Chrome blog (http://googlechromereleases.blogspot.com/2010/08/stable-channel-update_19.html) by team member Jason Kersey. 
The critical holes include a memory corruption hole within the Chrome file dialog and a bug in the notifications feature that would crash Chrome during shutdown. 
Google defines critical security holes as those that “allow an attacker to run arbitrary code with the user’s privilges in the normal course of browsing.” Of the remaining holes that were patched, seven were rated “High” severity, defined as holes that lets an attacker “read or modify confidential data belonging to other Web sites.” One was “Medium” severity hole. 
In July, Google announced changes in its renumeration for security researchers who find holes in the company’s products. The maximum payout for a single bug was increased to $3,133.70, based on the severity of the hole and the amount of research done to find and analyze it. The minimum payment staying flat at $500. None of the patched holes carried the new maximum reward. 
Google’s move followed a similar announcement from Mozilla, which increased its bounty for security holes to $3,000 as part of its six year-old bug bounty program. However, security researchers have argued that software vendors are still underpaying for security holes in their products, with governments and private contractors – as well as the cybercriminal underground – paying much higher prices for information on critical, remotely exploitable holes. 

Google said on Thursday that it patched ten security holes in its Chrome Web browser. The company also paid out more than $10,000 in bounties to security researchers who reported the holes. 

The updates, released as Chrome 5.0.375.127, include fixes for  two critical vulnerabilities and a work around for another critical vulnerability in a third party component that affects Chrome, according to a post on the Chrome blog by team member Jason Kersey. 

The critical holes include a memory corruption hole within the Chrome file dialog and a bug in the notifications feature that would crash Chrome during shutdown. 

Google defines critical security holes as those that “allow an attacker to run arbitrary code with the user’s privileges in the normal course of browsing.” Of the remaining holes that were patched, seven were rated “High” severity, defined as holes that lets an attacker “read or modify confidential data belonging to other Web sites.” One was a “Medium” severity hole. 

In July, Google announced changes in its remuneration for security researchers who find holes in the company’s products. The maximum payout for a single bug was increased to $3,133.70, based on the severity of the hole and the amount of research done to find and analyze it. The minimum payment staying flat at $500. None of the patched holes carried the new maximum reward. 

Google’s move followed a similar announcement from Mozilla, which increased its bounty for security holes to $3,000 as part of its six year-old bug bounty program. However, security researchers have argued that software vendors are still underpaying for security holes in their products, with governments and private contractors – as well as the cyber criminal underground – paying much higher prices for information on critical, remotely exploitable holes. 

Suggested articles

alien cerberus banking malware

Alien Android Banking Trojan Sidesteps 2FA

A new ‘fork’ of the Cerberus banking trojan, called Alien, targets victims’ credentials from more than 200 mobile apps, including Bank of America and Microsoft Outlook.

Discussion

  • Ralph Dratman on

    I can't help wondering, supposing in an imaginary world that all software development (except bug fixes) stopped, how long there would be a revenue stream available for finding bugs!

    While this is an experiment than can never be run, because software development never stops, nevertheless it might be possible to track to some extent whether old code ever gets fully debugged.

    On another related point, aren't there processor architectures in which data can never be executed? For example, if I remember correctly, "Harvard Archtecture," used by some DSPs, has separate data and code buses and memory. Wouldn't that rule out code execution attacks?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.