Google Patches 32 Chrome Browser Bugs & Releases Version 14

The New Acunetix V12 Engine

Google and their Chrome browser have really been stepping things up lately when it comes to security and browsing, we reported not along ago on Google Chrome To Protect Users Against Malicious Executables.

Also since we reported on the Chrome bug bounty program back in February 2010 – Google Willing To Pay Bounty For Chrome Browser Bugs – it seems to have been a great success.

They’ve paid out a fair amount of money and patched 32 vulnerabilities in the latest version of Chrome (v14) – do note though, none of the vulnerabilities were of a critical level.

Google today patched 32 vulnerabilities in Chrome, paying more than $14,000 in bug bounties as it also upgraded the stable edition of the browser to version 14.

The company called out a pair of developer-oriented additions to Chrome 14 and noted new support for Mac OS X 10.7, aka Lion, including full-screen mode and vanishing scrollbars.

Google last upgraded Chrome’s stable build in early August. Google produces an update about every six weeks, a practice that rival Mozilla also adopted with the debut of Firefox 5 last June.

Fifteen of the 32 vulnerabilities were rated “high,” the second-most-serious ranking in Google’s four-step scoring system, while 10 were pegged “medium” and the remaining seven were marked “low.”

None of the flaws were ranked “critical,” the category usually reserved for bugs that may allow an attacker to escape Chrome’s anti-exploit sandbox. Google has patched several critical bugs this year, the last time in April.

Six of the vulnerabilities rated high were identified as “use-after-free” bugs, a type of memory management flaw that can be exploited to inject attack code, while seven of the bugs ranked medium were “out-of-bounds” flaws, including a pair linked to foreign language character sets used in Cambodia and Tibet.

I think the whole bug bounty model is great, I mean look at it this way – Google has paid out $14,000 in bug bounties for these vulnerabilities. That’s a small fraction of what it would cost to get a ‘professional’ company to do as a VA or code-audit on the software.

Plus for the researchers, they get to practise their skills and make a little pocket money on the side. I don’t expect anyone to hand over any critical 0-day type exploits for the amount Google is offering, but still – it makes the browser more secure.

And at the end of the day, more secure browsers make for less virus laden family members and colleagues (and less of that annoying work which we can’t escape for us).

Google paid $14,337 in bounties to nine researchers, including $3,500 to “miaubiz” and $2,337 to Sergey Glazunov, another regular bug finder.

The company’s security team also credited others, including researchers who work for Microsoft and Apple, for “working with us in the development cycle and preventing bugs from ever reaching the stable channel.” Some of those researchers were also awarded bounties, but Google did not spell out the amounts of those awards.

As per its practice, Google barred access to the Chrome bug-tracking database for the 32 vulnerabilities to prevent outsiders from obtaining details on the flaws. The company only opens the database after users have had time to update the browser.

Google also added a pair of developer-only features to Chrome 14, including support for the Web Audio API (application programming interface) and for “native client,” an open-source technology that runs software written in C and C++ within Chrome’s security sandbox.

The Mac version of Chrome 14 also supports Lion’s new approach to scrollbars, which appear only when a user is actively scrolling through the browser window. Chrome 14 also now runs in Lion’s full-screen mode, triggered via the icon in the upper right of the browser or by pressing Ctrl-Command-F.

But Chrome’s full-screen support isn’t polished or finished; the browser won’t return to its windowed view with a press of the Escape key, as do Apple’s home-grown applications in Lion.

Seems like Google had some help from Apple and Microsoft too – good to see the big boys working together.

I’ve given up on Firefox, I tried using Chrome for a while but didn’t really get on with it (seemed like a massive memory hog). I’ve recently switched to Palemoon (a Windows optimised version of Firefox) and it’s great so far.

Source: Network World

Posted in: Countermeasures, Exploits/Vulnerabilities

, , , , , ,

Latest Posts:

Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds. - Test SSL Security Including Ciphers, Protocols & Detect Flaws – Test SSL Security Including Ciphers, Protocols & Detect Flaws is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

3 Responses to Google Patches 32 Chrome Browser Bugs & Releases Version 14

  1. ronnyfm September 20, 2011 at 5:24 am #

    With Firefox 7 I think performance have been lastly addressed correctly. Is that Pale Moon using the new Gecko Engine?

    • Darknet September 20, 2011 at 10:18 am #

      Not sure, haven’t tried the dev branch lately. Palemoon is following same codebase as Firefox stable tree – just compiled differently with different default options.

  2. droope September 20, 2011 at 7:03 pm #

    you should try firefox 9

    its on the nightly build. REally fast, replaced chrome almost-completely ( lacking plugins, but most work )