Google Chrome Updated for Six Security Flaws
Chrome 4 gets its first security fixes--three of them rated as "high" in importance. But it's not all bad news.
Google is updating its Chrome browser for Windows, fixing six security flaws in the first update of the Chrome 4 stable Windows build since it debuted at the end of January.
The new Chrome 220.127.116.11 release also marks the first time that Google has publicly stated that it has paid a security researcher for finding a flaw in Chrome.
Under Google's new bug bounty program -- the Chromium Security Award, which pays researchers for responsibly reporting security issues to the company -- researcher Timothy Morgan of Virtual Security Research reported an HTTP authentication flaw in Chrome, which Google rated as medium in severity.
For his efforts, Google awarded Morgan $500. However, according to Google Chrome Program Manager Anthony Laforge, Morgan donated the Google reward to the Haiti relief effort. Laforge noted in a blog post that Google then upped the donation to $1,337.
Google has not provided much detail on the three vulnerabilities as of press time, noting in its advisory that, "the referenced bugs may be kept private until a majority of our users are up to date with the fix."
As opposed to browsers from Mozilla, Apple and Microsoft, Google Chrome users do not need to manually update Chrome themselves. Chrome has an auto-update mechanism that is supposed to keep Chrome users up-to-date. It's a mechanism that Google in the past has said keeps its users more up-to-date than rival browser vendors.
In May 2009, a Google-assisted study reported that Google's log files show that after 21 days of a Google Chrome release, 97 percent of users were updated to the latest version. Mozilla Firefox had 85 percent of users updated within 21 days. Apple's Safari only had 53 percent of users updated.