Google Plugs 21 Security Holes in Chrome

Bug hunters earned $30,000 in rewards for reporting 21 security flaws that were fixed in Chrome 54.

Google on Wednesday patched 21 security vulnerabilities in Chrome, including a half dozen rated high severity that were reported by external researchers and were eligible for a bounty.

Bug hunters earned a total of $30,000 in bounties, with a top payout of $7,500 to an unnamed researcher for a universal cross-site scripting flaw found in Blink, the Chrome browser engine.

The Chrome 54 update (54.0.2840.59) applies to the Windows, Mac, and Linux versions of the browser. Google said in its security bulletin the updates will roll out over the next days and weeks to Chrome browsers.

Google hasn’t revealed many details on the vulnerabilities discovered. The universal XSS bug (CVE-2016-5181) in Blink was one of several vulnerabilities that impacted the browser engine. A second heap overflow bug (CVE-2016-5182) in Blink was reported by a researcher Giwan Go of Korean security company Stealien.

A third Blink vulnerability (CVE-2016-5185) was identified by the prolific bug hunter that goes by the handle cloudfuzzer, who earned a $3,000 reward. This use-after-free flaw allows hackers to execute arbitrary code or crash programs by utilizing system memory that has been temporarily freed.

Google patched two vulnerabilities tied to its problem-plagued Chrome default PDF viewer, called PDFium. According to Google, researchers found two high-rated vulnerabilities that are both use-after-free bugs (CVE-2016-5184 and CVE-2016-5183) tied to PDFium. Google has had to fix the PDFium component in its browser several times this year, including in June when it patched a bug that allowed attackers to execute code on targeted systems via a specially crafted PDF document with an embedded jpeg2000 image.

A fifth high-severity bug was identified by researcher Luan Herrera who found a URL spoofing vulnerability (CVE-2016-5187). The researcher had found a previous medium-severity vulnerability in April. Herrera earned $1,000 for this most recent find. Herrera earned an additional $3,134 for finding a medium-severity UI spoofing bug (CVE-2016-5188) that can cause a user to mistake content for a Chrome browser element such as a location or status bar.

Following is a complete list of other vulnerabilities that earned rewards:

[$1,000] [633885] Medium CVE-2016-5192: Cross-origin bypass in Blink. Credit to haojunhou [at]

[$500] [646278] Medium CVE-2016-5189: URL spoofing. Credit to xisigr of Tencent’s Xuanwu Lab

[$500] [644963] Medium CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman Alqabandi (@qab)

[$500] [639126] Medium CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes

[$N/A] [642067] Medium CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen of OUSPG

[$500] [639658] Low CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU (martinzhou96)

Suggested articles