The critical flaws plugged in Chrome version 19.0.1084.52 for Windows, Mac OS X, and Linux are a browser memory corruption with websockets over SSL and a use-after-free in the browser cache.
The high-risk flaws in Chrome fixed by Google include crashes in v8 garbage collection, use-after-free in first-letter handling, crashes in the plug-in JavaScript binds, out-of-bounds writes in PDF, use-after-free with invalid encrypted PDF, invalid cast with colorspace handling in PDF, buffer overflows with PDF functions, and type corruption in v 8. One was a Linux-only problem: bad cast in GTK UI.
Google doled out an uninspiring $4,837 in bug bounties, including $1,337 to “efbiaiinzinz” for help with the critical browser cache flaw, $1,000 to miaubiz, $1,500 to Christian Holler, and $1,000 to Micha Bartholomé.
As reported by Infosecurity, Google also this week published a detailed explanation of Pinkie Pie’s winning hack of Chrome at its Pwnium hacking contest.
Pinkie Pie used a chain of six different bugs to navigate through the code, step-by-step, until the prize of sandbox-breakout was achieved. This path led from an initial bug in pre-rendering to a buffer overflow into the GPU process that ultimately led to arbitrary code allowing the GPU process to impersonate the renderer. From the renderer, Pinkie was able to jump on the extension manager. From here, two further bugs allowed him “to install and run his own NPAPI plug-in that executed outside the sandbox at full user privilege.”