Establishing Digital Trust: Don't Sacrifice Security for Convenience
Google released its Chrome 9 stable Web browser less than a week ago, fixing at least nine security flaws. Apparently, they missed a few.
This week Google is out with Chrome 9.0.597.94 fixing at least five new security issues and including a new patched version of Adobe Flash.
Chrome is the only browser that directly integrates Adobe Flash with the browser, as opposed to requiring users to download and maintain a separate plug-in. The Flash Player 10.2 release is now also available as a standalone update from Adobe for users of other browsers as well. Flash 10.2 now supports hardware acceleration for graphics, which is also something that Chrome 9 supports natively thanks to the integration of WebGL. Additionally Flash 10.2 now integrates with the private browsing mode available in most browsers to ensure that data from those browsing sessions is not stored on the user's computer.
Of the five security issues, Google has rated three as having high impact.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
There are a pair of high impact stale pointer issues fixed in Chrome 9.0.597.94. One of the stale pointers is related to animation event handling while the other deals with anonymous block handling.
The third high impact issued fixed is a use-after-free memory flaw with SVG image font faces.
Chrome 9.0.597.94 also provides a pair of medium impact flaw fixes. One of them is a failure to process an out-of-memory condition while the other is an out-of-bounds read in with plug-in handling issue.
In total, Google is awarding a trio of security researchers $3,000 for the reported flaws as part of the Chromium Security Award. The $3,000 bug bounty tally is a marginal increase from the $2,000 Google paid for flaws in the first Chrome 9 stable release, but is still a far cry from the $14,470.70 that Google paid for the Chrome stable 8.0.552.237 at the beginning of the year.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.