Google Patches 12 Flaws, Pays $11K Bug Bounty in Chrome Update

Google has patched 12 security vulnerabilities in the latest version of its Chrome web browser
Google has patched 12 security vulnerabilities in the latest version of its Chrome web browser

While details on the vulnerabilities’ specifics are blocked by Google for now (the company wants a preponderance of users updated before opening the kimono to potentially nefarious types), the update does alert us that six of the flaws are high-risk bugs.

Several external researchers were able to claim a bounty, like Khalil Zhani, who collected $500 for a medium-risk flaw related to speech input elements [CVE-2013-6621], and Michel Aubizzierre, a.k.a. “Miaubiz,” who snagged $500 for the high-risk CVE-2013-6623 that involves an out of bounds read in SVG.

Jon Butler earned $1,000 for a high-risk flaw concerning use after free related to “id” attribute strings [CVE-2013-6624], while Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco of INRIA Paris received $1,000 to share for a medium-risk issue that involved certificates not being checked during TLS renegotiation [CVE-2013-6628].

And the two biggest payouts went to “Skylined,” who realized $4,000 for an out-of-bounds read in HTTP parsing [CVE-2013-6627] and a hacker with the handle of “cloudfuzzer", who earned $2,000 each for two high-risk issues, one concerning media elements [CVE-2013-6622] and one found in DOM ranges [CVE-2013-6625].

Other non-bounty finds include the low-risk CVE-2013-6626, which involves address bar spoofing related to interstitial warnings (found by Chamal de Silva). Patrik Höglund of the Chromium project uncovered the high-risk CVE-2013-6631, for use after free in libjingle.

And finally, Google’s own Michal Zalewski found flaws leading to a read of uninitialized memory in libjpeg and libjpeg-turbo [medium-risk CVE-2013-6629 and CVE-2013-6630]. In addition, the medium-critical CVE-2013-2931 has various fixes from internal audits, fuzzing and other initiatives, Google said.

The $11,000 pales in comparison to previous payouts. In March, Google fixed 17 high-risk vulnerabilities in its Chrome update and doeld out a record $47,500 in bug bounties. Out of that, it gave $10,000 to each of three researchers as a “surprise bonus” for “sustained, extraordinary contributions” to fixing Chrome bugs. The three researchers were the aforementioned Miaubiz, Aki Helin and Arthur Gerkis.

What’s Hot on Infosecurity Magazine?