Google has released a new version of Chrome 18 that fixes three high-severity flaws and two medium-severity flaws. You can update to the latest version using the software's built-in silent updater, or you can download the latest version of Chrome directly from google.com/chrome.
Here are the five security vulnerabilities fixed in Google Chrome 18.0.1025.168:
-  High CVE-2011-3078: Use after free in floats handling. Credit to Google Chrome Security Team (Marty Barbella) and independent later discovery by miaubiz.
-  High CVE-2012-1521: Use after free in xml parser. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
-  Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie.
-  Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to Willem Pinckaers of Matasano.
- [$1000]  High CVE-2011-3081: Use after free in floats handling. Credit to miaubiz.
This round of patches in Google Chrome is one of the rare occasions when the company didn't have to write many cheques to reward researchers who reported vulnerabilities. Only the last bug, a use-after-free flaw, earned a reward of $1,000. Miaubiz has netted quite a number of bug bounties from Google in the last couple of years.
The $1,000 pay out is really just a drop in the bucket for Google given that the search giant recently quintupled its maximum bug bounty to $20,000. The company has so far received over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by 50 or so firms it has acquired. In just over a year, the program has paid out around $460,000 to roughly 200 individuals.
- CanSecWest Pwnium: Google Chrome hacked with sandbox bypass
- Google patches 14 high-risk Chrome browser holes
- Google Chrome gets another security makeover
- Google shells out $10,000 to fix 10 high-risk Chrome browser flaws
- Google Chrome gets last-minute bandaid before Pwn2Own
- With Pwn2Own looming, Mozilla and Google ship browser patches