GOOGLE latest stable update for chrome browser comes with vulnerabilities!!!
This week, Google released the latest stable update for its chrome browser addressing three high priority security vulnerabilities. Version 49.0.2623.87 of Chrome is available now for Windows, Mac and Linux computers, and although Google isn’t willing to discuss the fixes in detail, a recent blog post explains the basics of the bugs.The stable channel has been updated to 54.0.2840.87 for Windows, Mac, and 54.0.2840.90 for Linux. This will roll out over the coming days/weeks.CVE-2016-1643, the first of the three security issues, is a type confusion within Blink, which ZDNet describes as a rendering engine used by the Chrome browser. The researcher who discovered the vulnerability was rewarded $5,000.
CVE-2016-1644, the second issue, was also a Blink-related issue. The use-after-free vulnerability in Blink was a memory corruption problem which could have given hackers the ability to execute code on the browser remotely. The researcher behind this discovery, Atte Kettunen of the Oulu University Secure Programming Group was granted $3,500.
CVE-2016-1645, the third and final flaw, was an out-of-bounds write issue in PDFium (Chrome’s PDF rendering engine). Google credits an anonymous researcher working with HP’s Zero Day Initiative for this discovery, but didn’t announce any sort of reward.
As long as you’ve closed and reopened your Chrome browser in the past couple of days, chances are that your browser has been automatically updated. But if you want to make sure, just tap the menu button in the top right corner of the browser, click Settings and then navigate to the About tab on the left-hand side of the screen.
If you see “Google Chrome is up to date,” then you’re good to go. Otherwise, the update should be in the process of downloading. Let it finish, then restart your browser. Now you’re safe from those vulnerabilities.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
[$NA][659475] High CVE-2016-5198: Out of bounds memory access in V8. Credit to Tencent Keen Security Lab, working with Trend Micro's Zero Day Initiative
The latest Google Chrome browser update comes with 33 vulnerability patches, including 13 that are high-severity. It’s all thanks to community contributors and bug fighters who submitted fixes for Chrome’s bug bounty program program.
Many of the vulnerabilities fixed in this release were part of the browser’s engine Blink, but some of the more high-severity discoveries were for Chrome’s built-in PDF reader, PDFium.
This big rollout of bug fixes follows another busy month, where 48 vulnerabilities were patched in July alone. Some of the bug bounty contributors netted themselves quite a bit of cash too, up to $7,500 per cross-site scripting bug caught.
The beauty of a bug bounty program is that anyone with some programming and security know-how can examine the code of the program in question and find potential security risks.
If the security vulnerability is verified, the researcher is compensated for their work by the company that set the bounty, and we, the consumers, all have a safer experience for it.
Thousands of software companies now offer bug bounties for researchers to find security flaws in their programs, from small firms to large enterprises.
And it’s not just companies that offer such rewards. Recently, the US Department of Defense created its own bug bounty called “Hack the Pentagon,” which rewarded 138 researchers for their discoveries of critical security flaws in national defense infrastructure.
The Chrome update will be rolled out over the next few weeks. Google says that details about the bugs may be kept under wraps until most users have updated.
CVE-2016-1644, the second issue, was also a Blink-related issue. The use-after-free vulnerability in Blink was a memory corruption problem which could have given hackers the ability to execute code on the browser remotely. The researcher behind this discovery, Atte Kettunen of the Oulu University Secure Programming Group was granted $3,500.
CVE-2016-1645, the third and final flaw, was an out-of-bounds write issue in PDFium (Chrome’s PDF rendering engine). Google credits an anonymous researcher working with HP’s Zero Day Initiative for this discovery, but didn’t announce any sort of reward.
As long as you’ve closed and reopened your Chrome browser in the past couple of days, chances are that your browser has been automatically updated. But if you want to make sure, just tap the menu button in the top right corner of the browser, click Settings and then navigate to the About tab on the left-hand side of the screen.
If you see “Google Chrome is up to date,” then you’re good to go. Otherwise, the update should be in the process of downloading. Let it finish, then restart your browser. Now you’re safe from those vulnerabilities.
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
[$NA][659475] High CVE-2016-5198: Out of bounds memory access in V8. Credit to Tencent Keen Security Lab, working with Trend Micro's Zero Day Initiative
The latest Google Chrome browser update comes with 33 vulnerability patches, including 13 that are high-severity. It’s all thanks to community contributors and bug fighters who submitted fixes for Chrome’s bug bounty program program.
Many of the vulnerabilities fixed in this release were part of the browser’s engine Blink, but some of the more high-severity discoveries were for Chrome’s built-in PDF reader, PDFium.
This big rollout of bug fixes follows another busy month, where 48 vulnerabilities were patched in July alone. Some of the bug bounty contributors netted themselves quite a bit of cash too, up to $7,500 per cross-site scripting bug caught.
The beauty of a bug bounty program is that anyone with some programming and security know-how can examine the code of the program in question and find potential security risks.
If the security vulnerability is verified, the researcher is compensated for their work by the company that set the bounty, and we, the consumers, all have a safer experience for it.
Thousands of software companies now offer bug bounties for researchers to find security flaws in their programs, from small firms to large enterprises.
And it’s not just companies that offer such rewards. Recently, the US Department of Defense created its own bug bounty called “Hack the Pentagon,” which rewarded 138 researchers for their discoveries of critical security flaws in national defense infrastructure.
The Chrome update will be rolled out over the next few weeks. Google says that details about the bugs may be kept under wraps until most users have updated.
No comments:
Post a Comment