Google is out with its first security update for Chrome 18, barely a week after Chrome 18 was issued as a stable release.
Among the "big fix" items in the new Chrome 18.0.1025.151 release is a Flash player security update, that only Google Chrome is receiving. Google Chrome is the only browser that directly integrates Adobe Flash.
"The Chrome update includes fixes to two memory corruption vulnerabilities that were specific to Adobe Flash Player integrated with Google Chrome," Wiebke Lips, Senior Manager of Corporate Communications at Adobe, told eSecurityPlanet. "In other words, these vulnerabilities do not impact Flash Player for any other browser or platform."
The Flash player flaws were additional vulnerabilities that were initially fixed in an Adobe Flash Player 18.104.22.168 update issued at the end of March. That update ushered in silent updates for Windows users of Flash Player on Firefox and Internet Explorer. Google's Chrome browser has provided silent updates for the integrated browser and flash solution since its initial release.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Beyond Flash, Chrome 18.0.1025.151 fixes at least 12 security vulnerabilities, seven of which are rated by Google as being High Impact. Google is paying out $6,000 in awards to researchers for the reported flaws that have been fixed in this release.
The High Impact flaws are all use-after-free memory errors. The fixes resolve issues with run-in, box, and SVG handling as well as flaws in v8 bindings and HTMLMediaElement usage. There is also a High Impact use-after-free flaw applying to the style command that was reported by security researcher Michel Aubizziere (aka Miaubiz). Aubizziere is one of three security researchers that Google singled out at the beginning of March for a special award of $10,000. In the Chrome 18.0.1025.151 update, Aubizziere is credited with the discovery of five flaws in total for which Google is paying him $4,500 in security awards.
Google isn't the only tech vendor that paid for flaws that are now fixed in Chrome. One of the flaws fixed in Chrome 18.0.1025.151 was actually paid for by HP TippingPoint's Zero Day Initiative (ZDI). ZDI pays security researchers for their flaws and also runs the annual Pwn2Own browser hacking competition. According to ZDI, the flaw (ZDI-CAN-1528) affects WebKit and was first reported on March 14th.
While security is always a top concern in Google Chrome updates, so too are bug fixes. In Chrome 18.0.1025.151, Google is fixing a Canvas 2D drawing bug related to GPU acceleration. Canvas 2D is an HTML5 element that enables interactive content to run in a browser. As part of the initial Chrome 18 release, Google debuted GPU hardware based acceleration for Canvas 2D in an effort to enable more complex and detailed HTML5 games on Chrome.