Google March 24 paid out $8,500 for six Chrome Web browser flaws found by enterprising developers. The company also issued two new SSL certificates to protect against the Comodo certificate issue.
Google March 24 sewed up six security holes in its Chrome Web browser with
an upgrade to the stable and beta channels for Chrome 10.0.648.204 for Windows,
Mac, Linux and Chrome Frame.
The search engine, which in this upgrade also added support
for the browser's password manager on Linux and
fortified Chrome's performance and stability, paid out $8,500 to the
discoverers of the six vulnerabilities, all of which were rated high risk.
The holes include a buffer error in base string handling, for which Google
paid $500; use-after-free in the frame loader, which earned the finder $1,000;
and a use-after-free in HTML Collection that netted the discovery $2,000.
A stale pointer hole in CSS handling cost
Google $1,500. Another stale pointer, albeit in SVG text handling, earned the
finder $1,500. Lastly, Google made a $2,000 payout for a DOM
tree corruption with broken node parentage.
Google in January launched its Chromium Security Rewards program, a
controlled, crowdsourced approach to letting developers earn money by helping
Google squash bugs in the open-source Web browser.
The program has since paid developers who found flaws more than $100,000 in
rewards. Before this latest sextet of vulnerabilities, Google March 8 patched
25 flaws to prepare for the Pwn2Own hacking
contest, where it promised $20,000 to the first person who could hack Chrome.
Google, which records its changes in a log
, said it is keeping technical
details of the new patched holes under wraps until a majority of users are up
to date with the fix.
The latest Chrome update also included two reissued and blacklisted SSL
(Secure Sockets Layer) certificates to protect against the theft of nine
digital certificates from a Comodo reseller. Computerworld
sniffed out the reissues, which are detailed
in the Chromium security log.
Attackers impersonating a Comodo Security partner grabbed
nine valid digital certificates for seven domains
belonging to Microsoft, Google, Yahoo and Skype.
While Comodo revoked the certificates immediately, Google, Mozilla and
Microsoft each issued updates to block the certificates and warn users if they
tried to connect to fake sites.