Google on Wednesday pushed its third Chrome update since the beginning of March, patching a pair of high-severity vulnerabilities in the browser.
Yesterday’s update brings Chrome to version 50.0.2662.75 and patched 20 vulnerabilities, according to the Google Chrome Releases blog.
Eight of the bugs qualified for a reward under Google’s bug bounty program, the remaining dozen bugs were found internally.
Two of the flaws were rated “High” severity by Google: one was a cross-site scripting flaw credited to an unnamed researcher, and the other an out-of-bounds write flaw in V8 found by Choongwoo Han, a South Korean researcher and student at the Korea Advanced Institute of Science and Technology. The two bugs earned rewards of $7,500 and $5,000 respectively.
Following is a complete list of vulnerabilities that earned rewards:
$7500][590275] High CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous.
[$5000][589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han.
[591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. Credit to kdot working with HP’s Zero Day Initiative.
[$1500][589512] Medium CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen of OUSPG.
[$1500][582008] Medium CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu.
[$500][570750] Medium CVE-2016-1656: Android downloaded file path restriction bypass. Credit to Dzmitry Lukyanenko.
[$1000][567445] Medium CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera.
[$500][573317] Low CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso (@asanso) of Adobe.
On March 25, Google pushed out an update that addressed a number of flaws in Chrome disclosed during the Pwn2Own contest earlier in the month.