Google Patches 9 Security Flaws in New Chrome Browser Build

Five Chrome bug bounty hunters split $14,000 in rewards as Google patches nine security flaws in its browser, four are labeled “high”.

Google updated its browser Thursday patching nine security bugs, labeling four as “high” and two as a “medium” risk to computer users. The update was tied to a new Chrome browser build (50.0.2661.94) that fixes the flaws.

Google also shelled out $14,000 tied to bug bounty payouts addressed in this security updates, according to a Google Chrome Team security bulletin.

Details are scant on the actual security flaws. That’s because Google says it needs to keep information about the bugs restricted until a majority of browsers are updated. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” it wrote.

Five Chrome bug bounty hunters split the $14,000 in rewards. Four $3,000 payments went to those that discovered “high” risk browser vulnerabilities.

Security researcher Atte Kettunen, with the University of Oulu Finland, earned $3,000 for discovering an “out-of-bounds write in Blink” vulnerability (CVE-2016-1660).

Independent security consultant Wadih Matar also earned $3,000 for his discovery of a “Memory corruption in cross-process frames” (CVE-2016-1661) security bug in Chrome. Matar earned an additional $1,000 for the “medium” security bug (CVE-2016-1664) fixing an “address bar spoofing” issue.

Rob Wu, a software science student at the Eindhoven University of Technology, also earned $3,000 for his discovery of a “use-after-free in extensions” security flaw (CVE-2016-1662) found in Chrome.

Google also paid $3,000 to an anonymous researcher that discovered a security flaw (CVE-2016-1663) that was only described as “use-after-free in Blink’s V8 bindings.”

Other bug bounty payouts went to “gksgudtjr456” who received $1,000 for a “medium” risk (CVE-2016-1665) “information leak in V8” security flaw.

Google fixed an additional three security bugs (CVE-2016-1666) that included “various fixes from internal audits, fuzzing and other initiatives.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.