Google Chrome 44 Updates for 43 Vulnerabilities
Google pays out $39,674 in awards to researchers for disclosing web browser vulnerabilities.
Google is updating its Chrome web browser with a new release that patches a long list of security vulnerabilities. Chrome 44 officially debuted on Google's Chrome stable channel on July 21, with patches for at least 43 different security vulnerabilities. While 43 is a sizable number of vulnerabilities, it's actually smaller than some recent Chrome updates, including Chrome 42, which had patches for 45 vulnerabilities.
Across the 43 patched security vulnerabilities, Google is paying security researchers at least $39,674 in awards. There are four vulnerabilities listed in Google's bug count for Chrome 43 where no financial amount is listed, only a TBD, indicating that an amount has not yet been determined.
For Chrome 44, the single largest payout for an individual flaw is $7,500, which is being awarded to two different researchers. One of the $7,500 payouts is going to a researcher identified only as "anonymous." The flaw is identified as CVE-2015-1286 and is a Universal Cross Site Scripting (UXSS) bug in the blink rendering engine. Blink is Google's own rendering engine for Chrome, which was forked from the open source WebKit engine used in Apple's Safari browser.
The second $7,500 award is being given to WangTao(neobyte) of Baidu X-Team, also for the discovery of a UXSS flaw in Chrome. WangTao's flaw is identified as CVE-2015-1275.
A researcher identified as "cloudfuzzer" appears to be the big winner in terms of the total number of awards granted for the Chrome 44 release. Cloudfuzzer is being awarded a total of $8,000 for a pair of flaws. Google is paying cloudfuzzer $3,000 for a heap buffer overflow vulnerability identified as CVE-2015-1271, in the pdfium PDF technology. Cloudfuzzer will be collecting an additional $5,000 from Google for CVE-2015-1280, which is a memory corruption vulnerability in the skia 2D graphics library engine.
Among the other interesting security flaws patched by Google is CVE 2015-1274, for which Google has not yet determined the actual dollar figure for an award. The flaw, however, is terrifying.
"Settings allowed executable files to run immediately after download," Google warned.
On the somewhat less serious front is CVE-2015-1288, which is a $500 award being given to security researcher Michael Ruddy. Ruddy found that in Chrome, spell checking dictionaries could be fetched over HTTP. Generally speaking, Google prefers HTTPS, encrypted HTTP everywhere to prevent man-in-the-middle attacks.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist