Google has issued a security update for its Chrome operating system on Android devices, resolving seven medium-risk vulnerabilities and paying out a total of $3,500 in rewards to two researchers.
On the Google Chrome Blog, software engineer Jay Civelli wrote that the update strengthens Chrome for Android’s sandbox technology as well as resolving seven other moderate bugs. The fix is available for users of Android 4.0 (Ice Cream Sandwich) and 4.1 (Jelly Bean).
Specifically, the update fixes two medium-rated bugs reported by Artem Chaykin for which he received a total of $1,000 in rewards. The first fixes an issue with information and credential disclosure by file:// URLs and the second resolves a problem with current-tab cross-application scripting (UXSS).
The other five vulnerabilities reported by Takeshi Terada also received medium ratings, earning him $2,500 ($500 apiece). His reports had to do with UXSS via intent extra data, information and credential disclosure by file:// URLs, Android APIs exposed to JavaScript, bypassing same-origin policy for local files with symlinks, and cookie theft by malicious local Android app.
Interestingly, Google shipped these updates on the same day that Jon Oberheide of Duo Security published a blog presenting the findings of their X-Ray projects, which revealed that more than half of Android devices contain vulnerabilities that could be exploited by attackers to take complete control of user’s devices.
