Google patches 31 Chrome flaws, issues bug bounty rewards

Thousands of dollars have been awarded to bug hunters for the Chrome 34 release who reported 31 flaws, 19 deemed critical.

Google has awarded over $28,000 to bug hunters who have contributed to fixing security problems in Chrome 34.

Screen Shot 2014-04-09 at 10.54.12

According to Google's Chrome Releases blog, the Chrome 34 release — now promoted to the Stable channel — contains a number of fixes and improvements. In total, 34 security vulnerabilities have been patched, including approximately 19 highly rated, critical flaws.

In total, over $28,000 has been awarded to reporters of the security issues.

In the next release of Chrome, when Chrome 34 becomes part of the Stable Channel and is then rolled out as a default browser for millions of users, the software will include a new feature; it will "now offer to remember and fill password fields in the presence of autocomplete=off." In other words, even if a website turns off automatic password retention, Chrome will offer to do it anyway for password fields.

Must See Gallery

Windows 10: Working fine with the Google ecosystem (hands on)

A common misconception about Windows 10 is that it's not a good solution for those using Google stuff. Hands on experience show this to be false.

The Chrome development team say "it is the security team's view that this is very important for user security by allowing users to have unique and more complex passwords for websites."

In addition, Chrome 34 includes new apps, extended APIs, a different look for Windows 8, and "lots of under the hood" changes to improve stability and performance.

The full list of fixes is below:

  • [$5000][354123] High CVE-2014-1716: UXSS in V8. Credit to Anonymous.
  • [$5000][353004] High CVE-2014-1717: OOB access in V8. Credit to Anonymous.
  • [$3000][348332] High CVE-2014-1718: Integer overflow in compositor. Credit to Aaron Staple.
  • [$3000][343661] High CVE-2014-1719: Use-after-free in web workers. Credit to Collin Payne.
  • [$2000][356095] High CVE-2014-1720: Use-after-free in DOM. Credit to cloudfuzzer.
  • [$2000][350434] High CVE-2014-1721: Memory corruption in V8. Credit to Christian Holler.
  • [$2000][330626] High CVE-2014-1722: Use-after-free in rendering. Credit to miaubiz.
  • [$1500][337746] High CVE-2014-1723: Url confusion with RTL characters. Credit to George McBay.
  • [$1000][327295] High CVE-2014-1724: Use-after-free in speech. Credit to Atte Kettunen of OUSPG.
  • [$3000][357332] Medium CVE-2014-1725: OOB read with window property. Credit to Anonymous
  • [$1000][346135] Medium CVE-2014-1726: Local cross-origin bypass. Credit to Jann Horn.
  • [$1000][342735] Medium CVE-2014-1727: Use-after-free in forms. Credit to Khalil Zhani.

"As usual, our ongoing internal security work [is] responsible for a wide range of fixes: [360298] CVE-2014-1728: Various fixes from internal audits, fuzzing, and other initiatives. [345820, 347262, 348319, 350863, 352982, 355586, 358059] CVE-2014-1729: Multiple vulnerabilities in V8 fixed in version 3.24.35.22."

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All