Establishing Digital Trust: Don't Sacrifice Security for Convenience
Some software vendors prefer to deliver security updates on a scheduled basis: Microsoft's monthly "Patch Tuesday" is perhaps the best-known example of that approach. But Google takes a different road with its Chrome browser, opting instead to roll out updates on a rapid and ongoing basis.
Google is now updating Chrome 17, just one week after the browser was first released as a stable product. Last week's Chrome 17 stable release included at least 20 fixes for security vulnerabilities. This week's Chrome 17.0.963.56 release fixes 13 additional flaws that have bubbled to the surface in the last week.
Seven of the flaws fixed in Chrome 17.0.963.56 are rated as high severity by Google. One of these flaws is an integer overflow issue in the libpng graphics library. Google is awarding security researcher Juri Aedla a "leet" award of $1,337 for the discovery.
Aedla isn't the only security researcher that is profiting from the Chrome 17.0.963.56 release. In total, Google is awarding researchers $6,837 as part of the Chrome 17.0.963.56 release. The Chromium Rewards Program under which Google pays security researchers for discoveries was first introduced in November of 2010. Since then, Google has paid researchers over $410,000 in rewards for flaw discoveries.
Google gave Aedla his award for an overflow condition -- which is a class of vulnerability that is well represented in the Chrome 17.0.963.56 update. In overflow conditions, system memory becomes potentially exploitable after program data overruns its allocated boundaries. Overflow conditions fixed in Chrome 17.0.963.56 include heap overflows in path and MKV rendering. There is also an integer overflow condition in PDF codecs that has been fixed.
As was the case with the initial Chrome 17 stable release, use-after-free memory errors are also well represented in the patch list. Use-after-free vulnerabilities occur when a function or process does not properly relinquish a memory block after use, which can potentially enable an attacker to use the same memory block to launch an attack. High severity use-after-free flaws fixed in Chrome 17.0.963.56 include errors in database handling and subframe loading. Google has rated use-after-free flaws in counter nodes as well as drag-and-drop operations as medium severity.
In addition to the flaws fixed by Google, Chrome 17.0.963.56 includes an updated Flash Player 18.104.22.168. Adobe issued their own security patched Flash Player this week, fixing at least seven vulnerabilities. Chrome is the only browser that directly integrates and includes Adobe's Flash Player as part of its release.
Among the fixes in Flash Player is a zero day flaw that Adobe said was already being exploited by attackers.
Note: Because Chrome installs new updates silently as a background process in Windows, most users will automatically be upgraded to the latest version.