Google has released version 18 of its Chrome browser and has fixed a number of serious security vulnerabilities in the process. The latest version of Chrome also includes an updated release of the Flash player that now includes the background updated that enables users to set the software to update itself without any help from the user.
Chrome 18 includes fixes for nine security flaws, three high-severity vulnerabilities among them. The company paid out $4,000 to researchers as part of its vulnerability reward program, and also handed out an extra $8,000 to a group of researchers who worked with Google to help stop some problems from ever getting into the stable version of the browser.
The updated Adobe Flash application that’s in Chrome 18 is the same one that Adobe released on Tuesday as a stand-alone version. The big change is that the software now gives users the option of setting it up to update itself silently when new versions are available, which is designed to keep users on the most recent version. The change is one that Adobe made to some of its other applications before and its the same kind of system that Google uses for Chrome.
““The new background updater will provide a better experience for our customers, and it will allow us to more rapidly respond to zero-day attack,” Peleus Uhley wrote on the Adobe’s Secure Software Engineering Team blog Tuesday.
The full list of fixes in Google Chrome 18 includes:
[$500] [109574] Medium CVE-2011-3058: Bad interaction possibly leading to XSS in EUC-JP. Credit to Masato Kinugawa.
[$500] [112317] Medium CVE-2011-3059: Out-of-bounds read in SVG text handling. Credit to Arthur Gerkis.
[$500] [114056] Medium CVE-2011-3060: Out-of-bounds read in text fragment handling. Credit to miaubiz.
[116398] Medium CVE-2011-3061: SPDY proxy certificate checking error. Credit to Leonidas Kontothanassis of Google.
[116524] High CVE-2011-3062: Off-by-one in OpenType Sanitizer. Credit to Mateusz Jurczyk of the Google Security Team.
[117417] Low CVE-2011-3063: Validate navigation requests from the renderer more carefully. Credit to kuzzcc, Sergey Glazunov, PinkiePie and scarybeasts (Google Chrome Security Team).
[$1000] [117471] High CVE-2011-3064: Use-after-free in SVG clipping. Credit to Atte Kettunen of OUSPG.
[$1000] [117588] High CVE-2011-3065: Memory corruption in Skia. Credit to Omair.
[$500] [117794] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler.
