July 25, 2014

Google pays out $3500 to security researchers for fixes in Chrome 21.0.1180.89

(LiveHacking.Com) – Google has released Chrome 21.0.1180.89 for Linux, Mac and Windows to fix several bugs and address a number of security vulnerabilities. Under its rewards scheme, which Google set up to pay researchers who find security related bugs in the Chrome source code, Google paid out $3500 for five of the eight bugs squashed.

Three of the bugs are rated as High, which means the vulnerability could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also high severity. The first High severity bug earned $1000 for Miaubiz and was related to a bad cast with run-ins. The spotting of a bad cast in XSL transforms pocketed Nicolas Gregoire $1000 while the third High severity bug was found by Google itself, a fix to avoid stale buffers in URL loading.

The full list of bugs fixed is as follows:

  • [$500] [121347] Medium CVE-2012-2865: Out-of-bounds read in line breaking. Credit to miaubiz.
  • [$1000] [134897] High CVE-2012-2866: Bad cast with run-ins. Credit to miaubiz.
  • [135485] Low CVE-2012-2867: Browser crash with SPDY.
  • [$500] [136881] Medium CVE-2012-2868: Race condition with workers and XHR. Credit to miaubiz.
  • [137778] High CVE-2012-2869: Avoid stale buffer in URL loading. Credit to Fermin Serna of the Google Security Team.
  • [138672] [140368] Low CVE-2012-2870: Lower severity memory management issues in XPath. Credit to Nicolas Gregoire.
  • [$1000] [138673] High CVE-2012-2871: Bad cast in XSL transforms. Credit to Nicolas Gregoire.
  • [$500] [142956] Medium CVE-2012-2872: XSS in SSL interstitial. Credit to Emmanuel Bronshtein.
Note that the referenced bugs will be kept private until a majority of Chrome users have upgraded.

Google ups bounties for finding vulnerabilities in Chrome and offers over $2 million in prize money for Pwnium 2

(LiveHacking.Com) – Many people have benefited from Google’s Chrome Vulnerability Rewards Program which was created to reward security researchers who invest their time and effort in helping find security vulnerabilities in Chrome and its open source counterpart Chromium. Not only do Google get a securer browser, not only do users get a safer web experience but browers like Safari benefit as it is built on the same WebKit rendering engine.

Google, which has paid out over $1 million dollars in rewards, has recently made two big announcements with regards to the rewards it is offering researchers. First, three new $1000 rewards have been announced which will be added to the base reward for finding vulnerabilities that are at least particularly exploitable, for bugs in stable areas of the code base and for serious bugs which impact a significantly wider range of products than just Chrome (e.g. open source libraries).

Google has also announced that it will host a second Pwnium competition. Pwnium 2 will be held on Oct 10th, 2012 at the Hack In The Box 10 year anniversary conference in Kuala Lumpur, Malaysia. The prize money up for grabs totals $2 million:

  • $60,000: ‘Full Chrome exploit’: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
  • $50,000: ‘Partial Chrome exploit’: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug.
  • $40,000: ‘Non-Chrome exploit’: Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.
  • $Panel decision: ‘Incomplete exploit’: An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation.

“For Pwnium 2, we want to reward people who get ‘part way’ as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can,” wrote  Chris Evans, a software engineer at Google.

Google fixes two more High priority security bugs in Chrome just days after fixing 26 others

(LiveHacking.com) — At the end of July, Google released Chrome 21 which, along with new features like a new API for high-quality video and audio communication, fixed 26 security related bugs. Now just 8 days later Google has released a new version of Chrome 21 (21.0.1180.75) for Mac, Linux and Windows which addresses two High priority security issues.

The two vulnerabilities comprise of five bug reports raised against Chrome and are all to do with the built-in PDF viewer. The details are as follows:

  • [136643] [137721] [137957] High CVE-2012-2862: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [136968] [137361] High CVE-2012-2863: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

Note that the referenced bugs will be kept private until a majority of Chrome users are up to date with the fix.

Google define a bug to be of high severity if the vulnerability lets an attacker read or modify confidential data belonging to other web sites.  Additionally, Google recommend rating issues that let an attacker execute arbitrary code within the confines of the sandbox as high. Also vulnerabilities that interfere with browser security features are also high severity.

Other non-security fixes in this release include:

  • Flash videos not longer remaining in fullscreen when clicking a secondary monitor while the video is playing  (Issue: 140366).
  • Flash video full screen displays on wrong monitor (Issue: 137523)
  • REGRESSION: Rendering difference in Chrome 21 and 22 that affected on Persian Wikipedia (Issue: 139502)
  • Some known crashes (Issues: 137498138552128652140140)
  • Audio objects are not “switched” immediately (Issue: 140247)
  • Print and Print Preview ignore paper size default in printer config (Issue: 135374)
  • Candidate windows is shown in wrong place in Retina display (Issue: 139108)
  • more of the choppy and distorted audio issues  (Issue: 136624)
  • Japanese characters showing in Chinese font (Issue: 140432)
  • Video playback issues with flash-based sites (Issue: 139953)
  • Sync invalidation notification broken after restart (Issue: 139424)

 

 

Google fixes three High severity vulnerabilities in Chrome

(LiveHacking.Com) – Google has released a new version of its Chrome web browser to address three High severity vulnerabilities. According to Google’s severity ratings, a vulnerability is considered High if the vulnerability lets an attacker read or modify confidential data belonging to other web sites. Google also say that vulnerabilities that interfere with browser security features are also high severity.

Google paid out $2000 to security researcher Miaubiz for his work in finding two of the three security vulnerabilities. Miaubiz has received thousands of dollars from Google under its Chromium rewards scheme. Both Miaubiz bugs are use-after-free type bugs, one in counter handling and the other in layout height tracking. The third bug is a bad object access with JavaScript in PDF.

As well as the three security fixes, Chrome 20.0.1132.57 also includes a new version of Flash, a new version of the V8 Javascrpt engine (3.10.8.20) and some stability/bug fixes.

Google Fixes Critical Vulnerabilities in Chrome 19.0.1084.52

(LiveHacking.Com) – Google has released Chrome 19.0.1084.52 for Windows, Linux and Mac and in doing so it has fixed two Critical security vulnerabilities and patched nine other High priority security related bugs. Historically Google are quick to release new versions of its web browser and release frequent incremental updates to the current stable version of Chrome to patch any security vulnerabilities discovered. To help it do this, Google has a rewards scheme where it pays hard cash to developers and security researcher who find vulnerabilities. For this release Google paid out $3837.

The first Critical bug squashed is a  browser memory corruption with websockets over SSL. Memory corruptions are often used by attackers to create exploits, especially exploits which can execute arbitrary code. The second Critical fix is a use-after-free in browser cache. Like memory corruptions, it is theoretically possible to create an exploit from use-after-free bugs . This particular bug was found by “efbiaiinzinz” who was rewarded $1337 by Google.

The full list of fixes, along with credits and rewards, is as follows:

  • [117409] High CVE-2011-3103: Crashes in v8 garbage collection. Credit to the Chromium development community (Brett Wilson).
  • [118018] Medium CVE-2011-3104: Out-of-bounds read in Skia. Credit to Google Chrome Security Team (Inferno).
  • [$1000] [120912] High CVE-2011-3105: Use-after-free in first-letter handling. Credit to miaubiz.
  • [122654] Critical CVE-2011-3106: Browser memory corruption with websockets over SSL. Credit to the Chromium development community (Dharani Govindan).
  • [124625] High CVE-2011-3107: Crashes in the plug-in JavaScript bindings. Credit to the Chromium development community (Dharani Govindan).
  • [$1337] [125159] Critical CVE-2011-3108: Use-after-free in browser cache. Credit to “efbiaiinzinz”.
  • [Linux only] [$1000] [126296] High CVE-2011-3109: Bad cast in GTK UI. Credit to Micha Bartholomé.
  • [126337] [126343] [126378] [127349] [127819] [127868] High CVE-2011-3110: Out of bounds writes in PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
  • [$500] [126414] Medium CVE-2011-3111: Invalid read in v8. Credit to Christian Holler.
  • [127331] High CVE-2011-3112: Use-after-free with invalid encrypted PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
  • [127883] High CVE-2011-3113: Invalid cast with colorspace handling in PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
  • [128014] High CVE-2011-3114: Buffer overflows with PDF functions. Credit to Google Chrome Security Team (scarybeasts).
  • [$1000] [128018] High CVE-2011-3115: Type corruption in v8. Credit to Christian Holler.

Note that the referenced bugs are kept private until a majority of Chrome users are up to date with the fixes.

 

Google Releases Chrome 19 with 19 Security Fixes

(LiveHacking.Com) – The development of Google’s Chrome browser continues at a fast pace. Just six weeks after the release of Chrome 18, Google have now released Chrome 19. It boasts a new tab synchronization feature along with 19 security related fixes. None of the fixes in this new release are rated Critical but there are seven High severity fixes. High severity, according to Google’s definition, means that the vulnerability lets a hacker read or modify confidential data belonging to other web sites or lets an attacker execute arbitrary code within the confines of the Chrome sandbox. Vulnerabilities that interfere with browser security features are also considered High severity.

Four of the seven High severity issues are use-after-free issues. These bugs are can potentially be exploited to allow an attacker to run arbitrary code. Of the remaining three, two are out-of-bounds writes (one in the OGG container and one related to PDF). Again these types of errors are a foothold for a fully working exploit. The last High severity error is an invalid write in v8 regex. In total Google paid out $4000 in bounties to the external security researchers who found these errors.

The full list of security related fixes is:

  • [112983] Low CVE-2011-3083: Browser crash with video + FTP. Credit to Aki Helin of OUSPG.
  • [113496] Low CVE-2011-3084: Load links from internal pages in their own process. Credit to Brett Wilson of the Chromium development community.
  • [118374] Medium CVE-2011-3085: UI corruption with long autofilled values. Credit to “psaldorn”.
  • [$1000] [118642] High CVE-2011-3086: Use-after-free with style element. Credit to Arthur Gerkis.
  • [118664] Low CVE-2011-3087: Incorrect window navigation. Credit to Charlie Reis of the Chromium development community.
  • [$500] [120648] Medium CVE-2011-3088: Out-of-bounds read in hairline drawing. Credit to Aki Helin of OUSPG.
  • [$1000] [120711] High CVE-2011-3089: Use-after-free in table handling. Credit to miaubiz.
  • [$500] [121223] Medium CVE-2011-3090: Race condition with workers. Credit to Arthur Gerkis.
  • [121734] High CVE-2011-3091: Use-after-free with indexed DB. Credit to Google Chrome Security Team (Inferno).
  • [$1000] [122337] High CVE-2011-3092: Invalid write in v8 regex. Credit to Christian Holler.
  • [$500] [122585] Medium CVE-2011-3093: Out-of-bounds read in glyph handling. Credit to miaubiz.
  • [122586] Medium CVE-2011-3094: Out-of-bounds read in Tibetan handling. Credit to miaubiz.
  • [$1000] [123481] High CVE-2011-3095: Out-of-bounds write in OGG container. Credit to Hannu Heikkinen.
  • [Linux only] [123530] Low CVE-2011-3096: Use-after-free in GTK omnibox handling. Credit to Arthur Gerkis.
  • [123733] [124182] High CVE-2011-3097: Out-of-bounds write in sampled functions with PDF. Credit to Kostya Serebryany of Google and Evgeniy Stepanov of Google.
  • [Windows only] [124216] Low CVE-2011-3098: Bad search path for Windows Media Player plug-in. Credit to Haifei Li of Microsoft and MSVR (MSVR:159).
  • [124479] High CVE-2011-3099: Use-after-free in PDF with corrupt font encoding name. Credit to Mateusz Jurczyk of Google Security Team and Gynvael Coldwind of Google Security Team.
  • [124652] Medium CVE-2011-3100: Out-of-bounds read drawing dash paths. Credit to Google Chrome Security Team (Inferno).

Note that the referenced bugs may be kept private, by Google, until a majority of users are using the latest version of Chrome.

For the astute amongst you, the above list has 18 bullet points, but CVE-2011-3097: “Out-of-bounds write in sampled functions with PDF” covers two bugs making it 19 fixes for Chrome 19!

Having said that, Google also released information on two bugs fixed outside of Chrome which could have an impact on the security of Chrome itself:

  • [Linux only] [$500] [118970] Medium CVE-2011-3101: Work around Linux Nvidia driver bug. Credit to Aki Helin of OUSPG.
  • [$1500] [125462] High CVE-2011-3102: Off-by-one out-of-bounds write in libxml. Credit to Jüri Aedla.

Finally, Google paid out over $9000 to researchers who found security holes in Chrome 19 during its development.

Google Fixes High Priority Security Vulnerabilities with new Release of Chrome

(LiveHacking.Com) – Google has released Chrome 18.0.1025.168 on Windows, Mac and Linux to fix several High priority security bugs. Under Google’s ranking scheme a vulnerability is of ‘High’ severity when it could let an attacker read or modify confidential data belonging to other web sites or execute arbitrary code within the confines of the sandbox. Google also rate vulnerabilities that interfere with browser security features (e.g. that can disrupt the location bar and lock icon) are also high severity.

This release fixes five security vulnerabilities of which three are rated as High. All the High rated vulnerabilities are related to use after free conditions which are often used as the starting point of an exploit to execute arbitrary code on the victim’s computer. One of the vulnerabilities was found by security researcher miaubiz who received $1000 under the Chromium Vulnerability Rewards Program.

The full list of fixes is as follows:

  • [106413] High CVE-2011-3078: Use after free in floats handling. Credit to Google Chrome Security Team (Marty Barbella) and independent later discovery by miaubiz.
  • [117110] High CVE-2012-1521: Use after free in xml parser. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by  wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
  • [117627] Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie.
  • [121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to Willem Pinckaers of Matasano.
  • [$1000] [121899] High CVE-2011-3081: Use after free in floats handling. Credit to miaubiz.

Note that the referenced bugs may be kept private by Google  until a majority of Chrome users are up to date with the fix.


Google Updates Chrome Again to Fix Seven High Risk Vulnerabilities

(LiveHacking.Com) – Google has updated Chrome to 18.0.1025.151 to fix some bugs, add a new version of Flash and fix twelve security vulnerabilities. The new release, which is available for Windows, Mac and Linux is Google’s second release in just eight days. As part of its security reward program, Google paid out $6000 to security researchers for their efforts in making Google Chrome safer.

Seven of the tweleve vulnerabilities are rated as “high,” the second-most-serious ranking in Google’s scoring system. Of the remaining, four were marked “medium” and one was labeled “low.” All of the high risk vulnerabilities are use-after-free bugs in various parts of the Chrome code including in line box handling, v8 bindings, HTMLMediaElement and focus handling.

The full list of fixes is:

  • [$500] [106577] Medium CVE-2011-3066: Out-of-bounds read in Skia clipping. Credit to miaubiz.
  • [117583] Medium CVE-2011-3067: Cross-origin iframe replacement. Credit to Sergey Glazunov.
  • [$1000] [117698] High CVE-2011-3068: Use-after-free in run-in handling. Credit to miaubiz.
  • [$1000] [117728] High CVE-2011-3069: Use-after-free in line box handling. Credit to miaubiz.
  • [118185] High CVE-2011-3070: Use-after-free in v8 bindings. Credit to Google Chrome Security Team (SkyLined).
  • [118273] High CVE-2011-3071: Use-after-free in HTMLMediaElement. Credit to pa_kt, reporting through HP TippingPoint ZDI (ZDI-CAN-1528).
  • [118467] Low CVE-2011-3072: Cross-origin violation parenting pop-up window. Credit to Sergey Glazunov.
  • [$1000] [118593] High CVE-2011-3073: Use-after-free in SVG resource handling. Credit to Arthur Gerkis.
  • [$500] [119281] Medium CVE-2011-3074: Use-after-free in media handling. Credit to Sławomir Błażek.
  • [$1000] [119525] High CVE-2011-3075: Use-after-free applying style command. Credit to miaubiz.
  • [$1000] [120037] High CVE-2011-3076: Use-after-free in focus handling. Credit to miaubiz.
  • [120189] Medium CVE-2011-3077: Read-after-free in script bindings. Credit to Google Chrome Security Team (Inferno).

Note: Google may keep the referenced bugs secret until a majority of Chrome users are up to date with the fix.

Other things

This release also fixes the following issues:

  • black screen on Hybrid Graphics system with GPU accelerated compositing enabled (Issue: 117371)
  • CSS not applied to <content> element (Issue: 114667)
  • Regression rendering a div with background gradient and borders (Issue: 113726)
  • Canvas 2D line drawing bug with GPU acceleration (Issue: 121285)
  • Multiple crashes (Issues: 72235116825 and 92998)
  • Pop-up dialog is at wrong position (Issue: 116045)
  • HTML Canvas patterns are broken if you change the transformation matrix (Issue: 112165)
  • SSL interstitial error “proceed anyway” / “back to safety” buttons don’t work (Issue: 119252)

Known Issues:

  • HTML5 audio doesn’t work on some Mac computers (Issue: 109441)

A new version of Flash Player is included in this release, more details are available in an addendum to the following Flash Player advisory.

Google Releases Chrome 18 – Fixes Security Bugs, Adds Faster Graphics

(LiveHacking.Com) – The version numbers keep flying upwards! Google has released Chrome 18.0.1025.142 for Windows, Mac and Linux with a number of new features (including faster and fancier graphics) and a collection of security fixes. None of the security fixes in this release are marked as Critical but there are three High severity fixes.

Under Google’s definitions, High severity means that the vulnerability lets an attacker read or modify confidential data belonging to other web sites or if the attacker can execute arbitrary code within the confines of the sandbox. Vulnerabilities that interfere with browser security features are also high severity.

The first of the High severity bug fixed was an off-by-one error in OpenType Sanitizer, the next was a use-after-free error in SVG clipping and the third a memory corruption in Skia.

As part of the Chrome Vulnerability Rewards Program, which was created to help reward the contributions of security researchers who invest their time and effort in to making Chrome more secure, Google paid out $3000 for this release.

The full list of security related bug fixed are:

  • [$500] [109574] Medium CVE-2011-3058: Bad interaction possibly leading to XSS in EUC-JP. Credit to Masato Kinugawa.
  • [$500] [112317] Medium CVE-2011-3059: Out-of-bounds read in SVG text handling. Credit to Arthur Gerkis.
  • [$500] [114056] Medium CVE-2011-3060: Out-of-bounds read in text fragment handling. Credit to miaubiz.
  • [116398] Medium CVE-2011-3061: SPDY proxy certificate checking error. Credit to Leonidas Kontothanassis of Google.
  • [116524] High CVE-2011-3062: Off-by-one in OpenType Sanitizer. Credit to Mateusz Jurczyk of the Google Security Team.
  • [117417] Low CVE-2011-3063: Validate navigation requests from the renderer more carefully. Credit to kuzzcc, Sergey Glazunov, PinkiePie and scarybeasts (Google Chrome Security Team).
  • [$1000] [117471] High CVE-2011-3064: Use-after-free in SVG clipping. Credit to Atte Kettunen of OUSPG.
  • [$1000] [117588] High CVE-2011-3065: Memory corruption in Skia. Credit to Omair.
  • [$500] [117794] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler.

Google have also said that some of these items represent the start of hardening measures based on study of the exploits submitted to the Pwnium competition.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fixes.

New Features

Chrome 18 also introduces some new features, specifically Google have enabled GPU-accelerated Canvas2D on capable Windows and Mac computers. This feature had previously been enabled in the Beta channel and Google hope developers have had a chance to try it out. Chrome 18 also enables SwiftShader, a software rasterizer licensed from TransGaming, for users with graphics cards which can’t cope with WebGL rendering.

Flash 11.2

Chrome 18 also includes Flash Player 11.2 which contains a number of new features along with security updates. See our post here.

Google Hands Out $4500 in Rewards for Chrome 17.0.963.83

(LiveHacking.Com) – Google has released Chrome 17.0.963.83 to fix several ‘High’ level security bugs. In doing so it handed out $4500 to security researchers who found and reported security related bugs in Google’s web browser. The new update also include the start of hardening measures based on study of the exploits submitted to the Pwnium competition.

Security fixes and rewards:

  • [$1000] [113902] High CVE-2011-3050: Use-after-free with first-letter handling. Credit to miaubiz.
  • [116162] High CVE-2011-3045: libpng integer issue from upstream. Credit to Glenn Randers-Pehrson of the libpng project.
  • [$1000] [116461] High CVE-2011-3051: Use-after-free in CSS cross-fade handling. Credit to Arthur Gerkis.
  • [116637] High CVE-2011-3052: Memory corruption in WebGL canvas handling. Credit to Ben Vanik of Google.
  • [$1000] [116746] High CVE-2011-3053: Use-after-free in block splitting. Credit to miaubiz.
  • [117418] Low CVE-2011-3054: Apply additional isolations to webui privileges. Credit to Sergey Glazunov.
  • [117736] Low CVE-2011-3055: Prompt in the browser native UI for unpacked extension installation. Credit to PinkiePie.
  • [$2000] [117550] High CVE-2011-3056: Cross-origin violation with “magic iframe”. Credit to Sergey Glazunov.
  • [$500] [117794] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler.

Google also listed a low severity issue that was fixed in a previous patch but the company had forgotten to issue a proper credit:

  • [108648] Low CVE-2011-3049: Extension web request API can interfere with system requests. Credit to Michael Gundlach.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix.