Jump to content

Google Chrome 50 Released with 20 Security Bugfixes


Recommended Posts

Upgrade now to fix security issues, but don't forget to enjoy Chrome's new Push notifications as well

Google and Chrome users have reached their golden anniversay today, as the company announced the release of Chrome 50.

As this version launched just a few hours ago, we're still busy sifting through the changelog for all updates, so keep an eye out for a subsequent article that highlights Chrome 50's major features.

What we know about Google 50 already, is its list of security-related bugfixes, which the company has announced on its blog.

Security researchers pocketed $17,500 for Chrome 50's bugs

As Google engineers have revealed, Chrome 50 fixed 20 security issues, eight of which were reported by external researchers, while the rest were fixed internally by Google own staff working on the Chromium project.

For the bugs provided by third-party developers, Google paid rewards totaling $17,500 (€15,500). Back in February, Google paid $25,633.70 (€23,090.3) just for one security bug in Chrome 48.0.2564.116.

This doesn't mean that Chrome 50 didn't fix important security issues, but only means that these bugs didn't leverage unique or novel attack techniques, so they didn't receive high-value bounties.

Other bugs fixed, but not less important

The biggest bounty paid for bugs in Chrome 50.0.2661.75 was to an anonymous security researcher, who received $7,500 (€6,600) for a universal XSS (cross-site scripting) vulnerability in the browser's extensions page (CVE-2016-1652).

Other bugs fixed in Chrome included an out-of-bounds write in Chrome's V8 JavaScript engine (CVE-2016-1653), an out-of-bounds memory read issue (CVE-2016-1651) in PDFium, Chrome's PDF rendering engine, and an uninitialized memory read in the browser's media component (CVE-2016-1654).

On top of these, Google also patched a use-after-free flaw in the extensions component (CVE-2016-1655), an Android downloaded file path restriction bypass (CVE-2016-1656), a potential leak of sensitive information to malicious extensions (CVE-2016-1658), and an address bar spoofing vulnerability (CVE-2016-1657), just like one recently fixed in Vivaldi.

Chrome users can use the browser's built-in updater to upgrade their browser, they can download the most recent version of Chrome from its homepage, or Google Chrome download mirrors for Linux, Mac OS X and Windows operating systems.

Article source

Link to comment
Share on other sites

  • Replies 0
  • Views 377
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...