Google patches 31 Chrome flaws, issues bug bounty rewards

Summary:Thousands of dollars have been awarded to bug hunters for the Chrome 34 release who reported 31 flaws, 19 deemed critical.

Google has awarded over $28,000 to bug hunters who have contributed to fixing security problems in Chrome 34.

Screen Shot 2014-04-09 at 10.54.12

According to Google's Chrome Releases blog, the Chrome 34 release — now promoted to the Stable channel — contains a number of fixes and improvements. In total, 34 security vulnerabilities have been patched, including approximately 19 highly rated, critical flaws.

In total, over $28,000 has been awarded to reporters of the security issues.

In the next release of Chrome, when Chrome 34 becomes part of the Stable Channel and is then rolled out as a default browser for millions of users, the software will include a new feature; it will "now offer to remember and fill password fields in the presence of autocomplete=off." In other words, even if a website turns off automatic password retention, Chrome will offer to do it anyway for password fields.

Must See Gallery

Building the ultimate $12K PC

Yes, you read that right. $12K. This is the 'more money than sense' PC. A PC that will confer on you the ultimate bragging rights.

The Chrome development team say "it is the security team's view that this is very important for user security by allowing users to have unique and more complex passwords for websites."

In addition, Chrome 34 includes new apps, extended APIs, a different look for Windows 8, and "lots of under the hood" changes to improve stability and performance.

The full list of fixes is below:

  • [$5000][354123] High CVE-2014-1716: UXSS in V8. Credit to Anonymous.
  • [$5000][353004] High CVE-2014-1717: OOB access in V8. Credit to Anonymous.
  • [$3000][348332] High CVE-2014-1718: Integer overflow in compositor. Credit to Aaron Staple.
  • [$3000][343661] High CVE-2014-1719: Use-after-free in web workers. Credit to Collin Payne.
  • [$2000][356095] High CVE-2014-1720: Use-after-free in DOM. Credit to cloudfuzzer.
  • [$2000][350434] High CVE-2014-1721: Memory corruption in V8. Credit to Christian Holler.
  • [$2000][330626] High CVE-2014-1722: Use-after-free in rendering. Credit to miaubiz.
  • [$1500][337746] High CVE-2014-1723: Url confusion with RTL characters. Credit to George McBay.
  • [$1000][327295] High CVE-2014-1724: Use-after-free in speech. Credit to Atte Kettunen of OUSPG.
  • [$3000][357332] Medium CVE-2014-1725: OOB read with window property. Credit to Anonymous
  • [$1000][346135] Medium CVE-2014-1726: Local cross-origin bypass. Credit to Jann Horn.
  • [$1000][342735] Medium CVE-2014-1727: Use-after-free in forms. Credit to Khalil Zhani.

"As usual, our ongoing internal security work [is] responsible for a wide range of fixes: [360298] CVE-2014-1728: Various fixes from internal audits, fuzzing, and other initiatives. [345820, 347262, 348319, 350863, 352982, 355586, 358059] CVE-2014-1729: Multiple vulnerabilities in V8 fixed in version 3.24.35.22."

Topics: Google, Browser, Security

About

Charlie Osborne, a medical anthropologist who studied at the University of Kent, UK, is a journalist, freelance photographer and former teacher. She has spent years travelling and working across Europe and the Middle East as a teacher, and has been involved in the running of businesses ranging from media and events to B2B sales. Charli... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.