Google on Monday patched
vulnerabilities in Chrome
, paying nine researchers $
in bug bounties for reporting the flaws.
As it did last year, Google
beefed up the security of its browser a week before the kickoff of Pwn
Own, the annual hacking contest held at the CanSecWest security conference in Vancouver, British Columbia.
[ Get your websites up to speed with HTML
today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]
The update to Chrome
flaws rated “high,” the second-most-severe ranking in Google’s threat system, and quashed three “medium” bugs.
None of the vulnerabilities were ranked “critical,” the category essentially reserved for bugs that may let an attacker escape Chrome’s anti-exploit “sandbox.” Google patched two sandbox-escape bugs — both pegged critical — in Chrome this year.
The bugs patched Monday were in several components, including WebGL, the hardware accelerated
D graphics API that debuted in early February with Chrome
; SVG (scalable vector graphics) rendering and animation; and the browser’s address bar.
Nearly a quarter of the vulnerabilities were identified as “stale pointer” bugs, a term used to describe flaws in an application’s — in this case, Chrome’s — memory allocation code.
As is its practice, Google locked its bug tracking database to bar outsiders from viewing the technical details of the just-patched vulnerabilities. The company blocks public access to flaws for weeks or even months to give users time to update.
Google paid out $
, the second-highest total this year, for the
vulnerabilities found and reported by outside security researchers. Nine different researchers received checks, with Martin Barbella taking home $
, Sergey Radchenko $
and two others $
Google and Mozilla, which makes Firefox, are the only browser developers to pay bounties directly to bug researchers.
In hindsight, Monday’s update should have been expected: In
, Google also patched Chrome the week before Pwn2Own.
Own begins March
, when security researchers will vie for fame and cash by trying to take down not just Chrome, but also the current versions of Apple
‘s Internet Explorer
, and Mozilla’s Firefox
Monday’s patches could be particularly important this year, since Google has a special stake
Own: It put up the $
prize for hacking Chrome on the first of the contest’s three days. (After that, if no one breaks the browser, the rules change and Google will fork over just $
, with Pwn
Own sponsor HP
TippingPoint ponying up the other $
At least one other browser builder will issue patches before Pwn
Own’s first day of competition. Mozilla has scheduled a security update
for later today.
The patched Chrome 9 can be downloaded for Windows, Mac OS X and Linux from Google’s website. Users already running the browser will be updated automatically.