Google shells out $10,000 to fix 10 high-risk Chrome browser flaws

Google shells out $10,000 to fix 10 high-risk Chrome browser flaws

Summary: The new Google Chrome version 14.0.835.202 also contains Adobe Flash Player 11, a software update that includes several security and privacy goodies.

SHARE:
TOPICS: Security, Browser, Google
5

Google has shipped another Chrome browser update with fixes for several "high-risk" security vulnerabilities that expose Windows, Mac OS X and Linux users to malicious hacker attacks.

The new Google Chrome version 14.0.835.202 also contains Adobe Flash Player 11, a software update that includes several security and privacy goodies.

As part of its bug bounty program, Google spent about $10,000 to buy the rights to the vulnerability information from security researchers.

Details on the vulnerabilities:

  • [$1000] High CVE-2011-2876: Use-after-free in text line box handling. Credit to miaubiz.
  • [$1000] High CVE-2011-2877: Stale font in SVG text handling. Credit to miaubiz.
  • [$2000] High CVE-2011-2878: Inappropriate cross-origin access to the window prototype. Credit to Sergey Glazunov.
  • [96150] High CVE-2011-2879: Lifetime and threading issues in audio node handling. Credit to Google Chrome Security Team (Inferno).
  • [$4500] High CVE-2011-2880: Use-after-free in the v8 bindings. Credit to Sergey Glazunov.
  • [$1500] High CVE-2011-2881: Memory corruption with v8 hidden objects. Credit to Sergey Glazunov.
  • [98089] Critical CVE-2011-3873: Memory corruption in shader translator. Credit to Zhenyao Mo of the Chromium development community.

This latest Chrome patch is being delivered via the browser's silent update mechanism.

Topics: Security, Browser, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Peanuts

    $10,000 is a very small price to pay to insure security of one of the most used pieces of software in the world.
    Michael Kelly
    • Agreed.

      What's going on is a cheap form of crowdsourcing. Most hackers would be more inclined to exploit the hole than to fix it for, yes indeed, peanuts.
      HypnoToad72
  • Errr....

    Cheapskates. On the other hand with the number of bugs in Chrome browser, it will make some people rich!
    Gisabun
    • You need to focus. These are issues for Microsoft.

      <font size=2>@Gisabun .. Issues categorized as security problems for Microsoft, and not a threat to Linux or Apple are also (non-critical) adjustments made to the Linux and Apple versions. It's how software works. So, in effect, Linux and Apple versions get changes made for issues that don't affect their security.<br><br>If that were not true, my Linux would have gotten at least some infections in the last 9 years using Firefox and Chrome. Problems with Linux or Apple using Chrome or Firefox aren't a factor. Microsoft, on the other hand has many, many holes which are constantly exploited through software, and the issues are critical.<br><br>So, even though you don't realize it, (probably due to years of ZDNet propaganda), your complaints about "the number of bugs in Chrome browser" are really an indictment of Windows bugs. Application software, no matter how well written, can completely cover security issues in a poorly written OS that relies on closed source code ambiguity of the binary files for protection. Windows has been doing that from the beginning.<br><br><i>"...expose Windows, Mac OS X and Linux users to malicious hacker attacks."</i><br><br>This is a common tool used many times over the years at ZDNet to "spread the blame" when only MS is the culprit. Ask yourself what OS initiated these "Bugs". What OS had the problems? Just because blanket changes are made does not mean there was a security issue with the other operating systems.

      This is a good example of ZDNet propaganda.<br><br></font>
      Joe.Smetona
    • Let's see:

      $1000 per issue.

      To be in the middle class, one would need maybe 60 issues per year...

      Just how many issues does Chrome have, again?

      The company that makes a product really should show some responsibility and ethics and keep up after itself, instead of going lowbrow with these patronizing tactics. Nothing is secure, but Google is just using a coy attempt to eschew their responsibility. If you or I started a business and asked others to fix bugs, what do you think they would be thinking? "Talentless hack wanting us to do their work for them and for chump change. (expletive) them."
      HypnoToad72