Google fixes three flaws in Chrome 20

Google fixes three flaws in Chrome 20

Summary: Google Chrome version 20.0.1132.57 is out, fixing three vulnerabilities in the browser. This is a security update release, meaning no new features have been added. You should still update.

SHARE:
Google fixes three flaws in Chrome 20

Google has released a new version of Chrome 20 that fixes three high-severity flaws. You can update to the latest version using the software's built-in silent updater, or you can download the latest version of Chrome directly from google.com/chrome.

Here are the three security vulnerabilities fixed in Google Chrome 20.0.1132.57:

  • 129898] High CVE-2012-2842: Use-after-free in counter handling. Credit to miaubiz.
  • 130595] High CVE-2012-2843: Use-after-free in layout height tracking. Credit to miaubiz.
  • [133450] High CVE-2012-2844: Bad object access with JavaScript in PDF. Credit to Alexey Samsonov of Google.

This round of patches in Google Chrome means the company only had to write one cheque to reward researchers who reported vulnerabilities. Miaubiz, who found the first two flaws, has netted quite a number of bug bounties from Google in the last couple of years. At this point, I'm wondering why Google doesn't just hire him and have him looking for security holes. The cost of a full-time salary for one engineer seems worth it to me.

In any case, the $2,000 pay out this month is just another drop in the bucket for Google. The search giant recently quintupled its maximum bug bounty to $20,000. The company has so far received about 800 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by 50 or so firms it has acquired. In just over a year, the program has paid out around $460,000 to roughly 200 individuals.

For the record, Google Chrome 20 was released just two weeks ago. In the meantime, Mountain View also released a beta of Google Chrome 21. I expect the new version will be released sometime in August, and I'll let you know when it is.

See also:

Topics: Security, Browser, Google, Software

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Why hire him? The $460K total they've paid out to 200 people is about what

    it would cost to hire 3 full time people and it sounds like they've found a lot more than 3 full timers would find. They're not paying for all the time people are spending looking and not finding stuff. I'd say they're way ahead. They could quintuple it again and probably still be ahead.
    Johnny Vegas
    • So they release software without the holes in the first place.

      Instead of having to patch them after they're released with the holes.
      Empro
      • time is money,

        and a long time ago a previous market leader also understood you get it to market first and fix it after that. Our free market society of the time - or at least the majority - didn't care much at the time, and the paradigm remains just as true today as ever.
        HypnoToad72
  • Google fixes three flaws in Chrome 20

    Kudos to those reporting the flaws and the Chrome team for patching.
    RickLively