Google Shells Out $14,470.70 to Fix Chrome 8
Google updates its chrome browser for a long list of security vulnerabilities, paying out 13 bug bounties to the researchers that found the flaws.
Google is updating both its Chrome browser and Chrome OS operating system this week, fixing at least 16 different security vulnerabilities.
The Chrome stable 8.0.552.237 and Chrome OS 8.0.552.334 releases are the first major updates to the stable Chrome builds in 2011.
The releases also mark a new milestone for Google Chrome with the first public report of a critical flaw in Chrome for which Google will pay out an Elite level Chromium Security Reward.
The security reward program was started by Google in 2010 as a bug bounty program to pay security researchers for their discoveries. The Elite level reward was introduced in late 2010 as a way to recognize the most severe types of flaws. For elite critical level flaws, Google will pay out $3,133.70, which is higher than the $1,337 that Google pays out for high level flaws. In total Google is paying researchers $14,470.70 in rewards for all the flaws fixed in the latest Chrome browser release.
Security researcher Sergey Glazunov is credited by Google with the critical flaw discovery of a stale point flaw that earned him the elite security reward. Glazunov also reported an additional four flaws that were fixed in the new Chrome release. Glazunov earned $1,337 for a high impact, bad pointer handling flaw as well as $1,000 for a stale pointer flaw with CSS. Rounding out Glazunov's reports are a pair of bad cast flaws, one for anchor handling, the other for video handling. Google reward Glazunov $1,000 for each of the bad cast flaws.
Glazunov wasn't the only one that earned rewards from Google with the latest Chrome release.
Google is awarding researcher Jan Tosovsky with $500 for the discovery of a stale pointer flaw with CSS and cursors. A stale pointer flaw with SVG will net a security researcher known as miaubiz, $500. A researcher known as kuzzcc will earn $1,000 for the report of an uninitialized browser pointer flaw that could be triggered by way of a malicious Chrome extension.
Chrome 8 includes an integrated PDF reader, which is related to a pair of security fixes in the new release. Security researcher Jared Allar is being awarded $1,000 for the discovery of a stack corruption flaw after a PDF out-of-memory condition. A buffer overflow with PDF shading flaw was reported by researcher Aki Helin who will earn $1,000 for the flaw report.
PDF content isn't the only type of media related flaw fixed in the new Chrome releases either. Aki Helin is also jointly credited alongside researcher David Warren and Google's own security team for the discovery of a bad memory access with mismatched video frame sizes flaw. Warren is also credited with a vorbis decoder buffer overflow flaw discovery as well.
The Chrome stable 8.0.552.237 update follows the first stable release of Chrome 8 in December. Chrome 9 is currently in beta while Chrome 10 is being actively worked on in Google Chrome's developer channel release cycle.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.