April 19, 2014

Google pays out $10,000 in rewards for latest release of Chrome

Chrome-logo-2011-03-16Google has released a new stable version of its popular web browser Chrome, in the process it has paid out $10,000 to security researchers who helped find security flaws in the software. Google pays rewards to independent security researchers who dig into Chromium (the open source version of Chrome) and attempt to find security vulnerabilities. These vulnerabilities are often memory issues like use-after-free errors or memory corruptions that could be exploited by hackers to execute arbitrary code on the machine running the browser.

The latest release includes 14 security fixes, two of which received rewards from Google. The rewards are as follows:

  • [$1000]High CVE-2013-6649: Use-after-free in SVG images. Credit to Atte Kettunen of OUSPG.
  • [$3000]High CVE-2013-6650: Memory corruption in V8. This issue was fixed in v8 version 3.22.24.16. Credit to Christian Holler.

However the reward payouts didn’t stop there. As part of the release announcement for Google Chrome 32.0.1700.102 the search giant also thanked  cloudfuzzer and miaubiz for helping out during the latest development cycle to prevent security bugs from entering into a stable release. For their efforts Google paid out an additional $6000, making the total pay out $10,000 for this release.

“We would also like to thank cloudfuzzer and miaubiz for working with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Karen Grunberg and Daniel Xie on the Chrome release blog.

Google also fixed a number of non-security related bugs including problems where Chrome became unresponive and broken scrolling on in combo boxes.

Chrome can be downloaded from http://google.com/chrome and is available for Windows, Mac and Linux.

Google fixes three High risk security bugs in Chrome 24.0.1312.56

Chrome-logo-2011-03-16(LiveHacking.Com) – Google has released Chrome 24.0.1312.56 with several important bug fixes along with five security related changes to patch vulnerabilities in the browser. Among the bug fixes are changes to improve mouse wheel scrolling performance and improvements to the installation process when the browser is installed as admin on Windows.

On the security side, Google paid out a $1000 reward to Atte Kettunen of OUSPG for finding a High priority use-after-free bug in the canvas font handling. Google considers a vulnerability High risk if it could could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also considered to have a high severity.

There were a further two High severity vulnerabilities fixed, both of which were found by employees of Google. The first was an unchecked array index in content blocking that was discovered by Chris Evans. The second was a crash that occurred with an unsupported RTC sampling rate. This Mac only vulnerability was found by Ted Nakamura.

 

Google updates Chrome to fix a Critical vulnerability and update Flash

(LiveHacking.Com) –  Google has released a new version of Chrome for Windows, Mac and Linux. Chrome 23.0.1271.97 fixes several non-security related bugs along with at least one Critical level security vulnerability. The new version also includes an updated version of Flash following Adobe’s security update.

The Critical level bug is a crash in the history navigation. It was found by Michal Zalewski of the Google Security Team. The other security related bugs, along with the money awarded to the bounty hunter by Google under the Chromium security rewards scheme, are:

  • [$1500] [158204] High CVE-2012-5139: Use-after-free with visibility events. Credit to Chamal de Silva.
  • [$1000] [159429] High CVE-2012-5140: Use-after-free in URL loader. Credit to Chamal de Silva.
  • [160456] Medium CVE-2012-5141: Limit Chromoting client plug-in instantiation. Credit to Google Chrome Security Team (Jüri Aedla).
  • [160926] Medium CVE-2012-5143: Integer overflow in PPAPI image buffers. Credit to Google Chrome Security Team (Cris Neckar).
  • [$2000] [161639] High CVE-2012-5144: Stack corruption in AAC decoding. Credit to pawlkt.

The new version also fixes the following non-security related bugs

  • Some texts in a Website Settings popup are trimmed (Issue: 159156)
  • Linux: <input> selection renders white text on white bg in apps (Issue: 158422)
  • some plugins stopped working (Issue: 159896)
  • Windows 8: Unable to launch system level chrome after self destructing user-level chrome (Issue: 158632)

In Brief: Google releases Chrome 23.0.1271.95 and gives Pinkie Pie $7331

(LiveHacking.Com) –  Google has released a new version of its Chrome browser (23.0.1271.95) just three days after releasing the previous version. This new update is a purely security related release and it fixes two high rated security vulnerabilities.

In Google speak, High means that the vulnerability could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also high severity.

The first vulnerability fixed, found by Jüri Aedla of the Google Chrome Security Team, was a bug in file path handling. The second, found by Pinkie Pie, was a use-after-free in media source handling. Pinkie Pie’s bug earned the researcher $7331.

Chrome 23.0.1271.91 fixes some High risk security vulnerabilities but nothing Critical

(LiveHacking.Com) – Google has released Chrome 23.0.1271.91 for Windows, Mac and Linux. The release fixes several bugs including an audio problem with Flash when the speaker configuration was set to Quadraphonic, however more importantly it fixes several High risk security vulnerabilities, but nothing ranked as Critical.

This release fixes three vulnerabilities with the  High rating. High in this context means that the vulnerability could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also high severity.

Under the Chromium security rewards scheme, Justin Drake was given a special reward for finding a bug in OS X which was sufficiently severe or particularly hard to workaround that it affects Chrome indirectly. In this case the High level vulnerability was a connected with a corrupt rendering in the Apple OSX driver for Intel GPUs.

Miaubiz was also hard at work and is credited with finding a High risk use-after-free bug in the SVG filters. Use-after-free bugs are good potential candidates for a full exploit. The other High rated vulnerability was a buffer underflow in libxml. The credit for fining that one goes to Jüri Aedla of the Google Chrome Security Team.

The full list of bugs is as follows:

  • [$1000] [152746] High CVE-2012-5131: Corrupt rendering in the Apple OSX driver for Intel GPUs. Credit to Justin Drake.
  • [$1000] [156567] High CVE-2012-5133: Use-after-free in SVG filters. Credit to miaubiz.
  • [$500] [148638] Medium CVE-2012-5130: Out-of-bounds read in Skia. Credit to Atte Kettunen of OUSPG.
  • [155711] Low CVE-2012-5132: Browser crash with chunked encoding. Credit to Attila Szász.
  • [158249] High CVE-2012-5134: Buffer underflow in libxml. Credit to Google Chrome Security Team (Jüri Aedla).
  • [159165] Medium CVE-2012-5135: Use-after-free with printing. Credit to Fermin Serna of Google Security Team.
  • [159829] Medium CVE-2012-5136: Bad cast in input element handling. Credit to Google Chrome Security Team (Inferno).

It is worth noting that Google keep the referenced bugs private until a majority of Chrome users are up to date with the fixes.

Google releases Chrome 23 with some unique security bug fixes

(LiveHacking.Com) – Google has released Chrome 23 with some new features, like the option to send a ‘do not track’ request to websites, as well as some interesting security fixes. A “normal” Chrome update includes a variety of bug fixes found by Google itself and by outside security researchers who are reward (in cash) by Google for their efforts. However this time things are slight different.

First of all Google has issued a special reward to  miaubiz for non-Chrome related bug which is very severe and/or Google are able to partially work around the issue. In this case it was a way to defend against wild writes in buggy graphics drivers on Mac OS X. miaubiz got $1000 for his efforts!

This then also led to another $1000 for miaubiz for an integer bounds check issue in GPU command buffers, again only on Mac OS X.

Finally there is a out-of-bounds array access bug in v8 which was found by Atte Kettunen of OUSPG. This particular bug only affected Linux 64-bit systems only.

For the rest it was security bug squashing as normal:

  • [$3500] [157079] Medium CVE-2012-5127: Integer overflow leading to out-of-bounds read in WebP handling. Credit to Phil Turnbull.
  • [$1000] [143761] High CVE-2012-5116: Use-after-free in SVG filter handling. Credit to miaubiz.
  • [$1000] [154055] High CVE-2012-5121: Use-after-free in video layout. Credit to Atte Kettunen of OUSPG.
  • [145915] Low CVE-2012-5117: Inappropriate load of SVG subresource in img context. Credit to Felix Gröbert of the Google Security Team.
  • [149759] Medium CVE-2012-5119: Race condition in Pepper buffer handling. Credit to Fermin Serna of the Google Security Team.
  • [154465] Medium CVE-2012-5122: Bad cast in input handling. Credit to Google Chrome Security Team (Inferno).
  • [154590] [156826] Medium CVE-2012-5123: Out-of-bounds reads in Skia. Credit to Google Chrome Security Team (Inferno).
  • [155323] High CVE-2012-5124: Memory corruption in texture handling. Credit to Al Patrick of the Chromium development community.
  • [156051] Medium CVE-2012-5125: Use-after-free in extension tab handling. Credit to Alexander Potapenko of the Chromium development community.
  • [156366] Medium CVE-2012-5126: Use-after-free in plug-in placeholder handling. Credit to Google Chrome Security Team (Inferno).
  • [157124] High CVE-2012-5128: Bad write in v8. Credit to Google Chrome Security Team (Cris Neckar).

Since adobe has released a new version of its ubiquitous Flash Player to address vulnerabilities that could cause a crash and potentially be exploited by an attacker to infect a PC with malware, Chrome 23 includes the updates version of Flash Player.

Google updates Chrome after successful exploit at Pwnium 2

(LiveHacking.Com) – Google has released a rapid update to its Chrome web browser after it was successfully exploited at the Google run Pwnium 2 hacking competition. Chrome 22.0.1229.94, which is available for Windows, Mac, and Linux, fixes a SVG use-after-free and IPC arbitrary file write bug that was successfully used by Pinkie Pie to fully exploit Chrome. The prize money was $60,000 which is the top amount awarded for a full Chrome exploit on a fully patched Windows 7  PC using only bugs in Chrome itself.

“We’re delighted at the success of Pwnium 2, and anticipate additional hardening and future improvements to Chrome as a result of the competition,” wrote Jason Kersey from Google’s Chrome team.

The official bug list is as follows:

  • [$60,000][154983][154987] Critical CVE-2012-5112: SVG use-after-free and IPC arbitrary file write. Credit to Pinkie Pie.

PinkiePie (aka PwniePie) is no stranger to exploiting Chrome. Back in March he also received $60,000 after successfully demonstrating an exploit at the first Pwnium competition. Shortly after Google issued 17.0.963.79 to fix the vulnerability used. At the time, Jason Kersey from the Google Chrome team is quoted as calling the exploit “a beautiful piece of work.”

Google updates Chrome to fix Critical security vulnerability in audio device handling

(LiveHacking.Com) – Google has released Chrome 22.0.1229.92 to fix several security related bugs, including a Critical security vulnerability in its audio device handling, and to update the built-in Adobe Flash player. Google paid out over $4000 to Atte Kettunen of OUSPG for his help in finding the audio related bug and a crash in Skia text rendering.

The list of security fixes are:

[$1000] [138208] High CVE-2012-2900: Crash in Skia text rendering. Credit to Atte Kettunen of OUSPG.
[$3133.7] [147499] Critical CVE-2012-5108: Race condition in audio device handling. Credit to Atte Kettunen of OUSPG.
[$500] [148692] Medium CVE-2012-5109: OOB read in ICU regex. Credit to Arthur Gerkis.
[151449] Medium CVE-2012-5110: Out-of-bounds read in compositor. Credit to Google Chrome Security Team (Inferno).
[151895] Low CVE-2012-5111: Plug-in crash monitoring was missing for Pepper plug-ins. Credit to Google Chrome Security Team (Chris Evans).

It is worth noting that Google keep the referenced bugs private until a majority of Chrome users are up to date with the fixes.

Also included in Chrome 22.0.1229.92 is the latest version of the Adobe Flash Player which was just updated to address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. The new versions in Chrome are 11.4.31.110 for Windows and Linux, and 11.4.402.287 for Macintosh.

Google releases Chrome 22 with $28,500 worth of security fixes and a workaround for a Windows kernel memory corruption

(LiveHacking.Com) – Google has released Chrome 22 with a variety of new features including a new Mouse Lock API (used mainly by 3D games) and some very important security fixes including a Critical level fix for a Windows kernel memory corruption. Under its reward scheme, which pays security researchers real money for their efforts in finding vulnerabilities in Chrome, Google paid out $28500 for vulnerabilities fixed in Chrome 22, one of which (the Windows kernel memory corruption) was award $10,000 while two UXSS  vulnerabilities earned Sergey Glazunov $15,000.

There are no details yet on the Windows kernel memory corruption or the nature of the Universal XSS flaws as Google (wisely) keeps the bug details private until a majority of users have updated. The Critical flaw in Windows (146254 / CVE-2012-2897) is credited to Eetu Luodemaa and Joni Vähämäki, both from Documill.

The UXSS errors are rated has High:

  • [143439] High CVE-2012-2889: UXSS in frame handling. Credit to Sergey Glazunov.
  • [143437] High CVE-2012-2886: UXSS in v8 bindings. Credit to Sergey Glazunov.

Other security related bugs fixed (along with the related rewards) are:

  • [$2000] [139814] High CVE-2012-2881: DOM tree corruption with plug-ins. Credit to Chamal de Silva.
  • [$1000] [135432] High CVE-2012-2876: Buffer overflow in SSE2 optimizations. Credit to Atte Kettunen of OUSPG.
  • [$1000] [140803] High CVE-2012-2883: Out-of-bounds write in Skia. Credit to Atte Kettunen of OUSPG.
  • [$1000] [143609] High CVE-2012-2887: Use-after-free in onclick handling. Credit to Atte Kettunen of OUSPG.
  • [$1000] [143656] High CVE-2012-2888: Use-after-free in SVG text references. Credit to miaubiz.
  • [$1000] [144899] High CVE-2012-2894: Crash in graphics context handling. Credit to Sławomir Błażek.
  • [Mac only] [$1000] [145544] High CVE-2012-2896: Integer overflow in WebGL. Credit to miaubiz.
  • [$500] [137707] Medium CVE-2012-2877: Browser crash with extensions and modal dialogs. Credit to Nir Moshe.
  • [$500] [139168] Low CVE-2012-2879: DOM topology corruption. Credit to pawlkt.
  • [$500] [141651] Medium CVE-2012-2884: Out-of-bounds read in Skia. Credit to Atte Kettunen of OUSPG.
  • [132398] High CVE-2012-2874: Out-of-bounds write in Skia. Credit to Google Chrome Security Team (Inferno).
  • [134955] [135488] [137106] [137288] [137302] [137547] [137556] [137606] [137635] [137880] [137928] [144579] [145079] [145121] [145163] [146462] Medium CVE-2012-2875: Various lower severity issues in the PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [137852] High CVE-2012-2878: Use-after-free in plug-in handling. Credit to Fermin Serna of Google Security Team.
  • [139462] Medium CVE-2012-2880: Race condition in plug-in paint buffer. Credit to Google Chrome Security Team (Cris Neckar).
  • [140647] High CVE-2012-2882: Wild pointer in OGG container handling. Credit to Google Chrome Security Team (Inferno).
  • [142310] Medium CVE-2012-2885: Possible double free on exit. Credit to the Chromium development community.
  • [143798] [144072] [147402] High CVE-2012-2890: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [144051] Low CVE-2012-2891: Address leak over IPC. Credit to Lei Zhang of the Chromium development community.
  • [144704] Low CVE-2012-2892: Pop-up block bypass. Credit to Google Chrome Security Team (Cris Neckar).
  • [144799] High CVE-2012-2893: Double free in XSL transforms. Credit to Google Chrome Security Team (Cris Neckar).
  • [145029] [145157] [146460] High CVE-2012-2895: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

The new mouse lock API included in Chrome 22 allows 3D applications, such as first-person games, to offer users control of the in-game 3D perspective using the mouse, without moving outside the window or bumping into the edge of their screen. Google recommends this first-person shooter demo created by Mozilla.

Google pays out $3500 to security researchers for fixes in Chrome 21.0.1180.89

(LiveHacking.Com) – Google has released Chrome 21.0.1180.89 for Linux, Mac and Windows to fix several bugs and address a number of security vulnerabilities. Under its rewards scheme, which Google set up to pay researchers who find security related bugs in the Chrome source code, Google paid out $3500 for five of the eight bugs squashed.

Three of the bugs are rated as High, which means the vulnerability could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also high severity. The first High severity bug earned $1000 for Miaubiz and was related to a bad cast with run-ins. The spotting of a bad cast in XSL transforms pocketed Nicolas Gregoire $1000 while the third High severity bug was found by Google itself, a fix to avoid stale buffers in URL loading.

The full list of bugs fixed is as follows:

  • [$500] [121347] Medium CVE-2012-2865: Out-of-bounds read in line breaking. Credit to miaubiz.
  • [$1000] [134897] High CVE-2012-2866: Bad cast with run-ins. Credit to miaubiz.
  • [135485] Low CVE-2012-2867: Browser crash with SPDY.
  • [$500] [136881] Medium CVE-2012-2868: Race condition with workers and XHR. Credit to miaubiz.
  • [137778] High CVE-2012-2869: Avoid stale buffer in URL loading. Credit to Fermin Serna of the Google Security Team.
  • [138672] [140368] Low CVE-2012-2870: Lower severity memory management issues in XPath. Credit to Nicolas Gregoire.
  • [$1000] [138673] High CVE-2012-2871: Bad cast in XSL transforms. Credit to Nicolas Gregoire.
  • [$500] [142956] Medium CVE-2012-2872: XSS in SSL interstitial. Credit to Emmanuel Bronshtein.
Note that the referenced bugs will be kept private until a majority of Chrome users have upgraded.