Google March 24 sewed up six security holes in its Chrome Web browser with an upgrade to the stable and beta channels for Chrome 10.0.648.204 for Windows, Mac, Linux and Chrome Frame.
The search engine, which in this upgrade also added support for the browser’s password manager on Linux and fortified Chrome’s performance and stability, paid out $8,500 to the discoverers of the six vulnerabilities, all of which were rated high risk.
The holes include a buffer error in base string handling, for which Google paid $500; use-after-free in the frame loader, which earned the finder $1,000; and a use-after-free in HTML Collection that netted the discovery $2,000.
A stale pointer hole in CSS handling cost Google $1,500. Another stale pointer, albeit in SVG text handling, earned the finder $1,500. Lastly, Google made a $2,000 payout for a DOM tree corruption with broken node parentage.
Google in January launched its Chromium Security Rewards program, a controlled, crowdsourced approach to letting developers earn money by helping Google squash bugs in the open-source Web browser.
The program has since paid developers who found flaws more than $100,000 in rewards. Before this latest sextet of vulnerabilities, Google March 8 patched 25 flaws to prepare for the Pwn2Own hacking contest, where it promised $20,000 to the first person who could hack Chrome. Google won.
Google, which records its changes in a log, said it is keeping technical details of the new patched holes under wraps until a majority of users are up to date with the fix.
The latest Chrome update also included two reissued and blacklisted SSL (Secure Sockets Layer) certificates to protect against the theft of nine digital certificates from a Comodo reseller. Computerworld sniffed out the reissues, which are detailed in the Chromium security log.
Attackers impersonating a Comodo Security partner grabbed nine valid digital certificates for seven domains belonging to Microsoft, Google, Yahoo and Skype.
While Comodo revoked the certificates immediately, Google, Mozilla and Microsoft each issued updates to block the certificates and warn users if they tried to connect to fake sites.