Google Patches Chrome for 11 Flaws and $10K


Google is updating the stable version of its Chrome Web browser to address at least eleven security issues. As a result, the new Chrome 5.0.375.127 stable channel version is now available for Windows, Mac and Linux users, with fixes that patch a variety of potential security holes.

"These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or conduct spoofing attacks," US-CERT noted in its advisory on the update.

While Google has its own security team, the 5.0.375.127 release evidently benefited from the contributions of multiple third-party security researchers. At the beginning of 2010, Google's Chromium Security Award initiative was launched as a way to both solicit and reward security researchers for their discoveries.

Google is an advocate of paying security researchers for their discoveries, as is rival browser vendor Mozilla, maker of the Firefox browser. As part of the Chrome 5.0.375.127 release, Google said it shelled out a total of $10,008 in bounties to a handful of researchers for their discoveries.

Security researcher Sergey Glazunov is credited by Google with uncovering a number of vulnerabilities in Chrome. Among Glazunov's discoveries are a pair of memory corruption issues, one is a file dialog issue and the other a problem in handling MIME types. Glazunov is also credited with the discovery of a notifications bug that caused a crash on shutdown.

Security researcher "wushi" of team509 is also credited by Google for multiple discoveries. One of wushi's findings is a memory corruption issue with SVG graphics. The other is described by Google only as a "Bad cast with text editing" issue. Google has not yet provided public access to full details for the flaw, and a Google spokesperson was not available for comment by press time.

Another pair of memory corruption vulnerabilities were identified by security researcher "kuzzcc." One of the issues is a memory corruption issue with Ruby support, while the other centers around memory corruption in Chrome's Geolocation support.

Chrome 5.0.375.127 also addresses a pair of address bar vulnerabilities uncovered by two separate researchers. Security researcher Robert Hansen (also known as "rsnake") is credited with the discovery of an autosuggest flaw, while researcher Mike Taylor is credited with discovery of a bug that potentially enabled address bar spoofing.

"Aside from the listed security bugs fixed in Chromium, we have also deployed a workaround for a critical vulnerability where the root cause lies in an external component," Jason Kersey, a Google Chrome developer, wrote in a blog post. "Credit and $1,337 to Marc Schoenefeld for enabling us to work around another Windows kernel bug."

Beyond the new stable channel update for Google Chrome, Google is also opening up a developer preview of its Chrome Web store, where the company plans to enable developers to sell and showcase their Chrome extensions.

"When the Chrome Web Store launches, it will replace the current gallery, featuring a completely new design for users to discover great apps, extensions and themes all in one place," Google software engineer Michael Noth blogged. "Until then, only you can see the apps you upload -- they will not be visible to other visitors of the gallery during this developer preview."

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Follow eSecurityPlanet on Twitter @eSecurityP.