November 27, 2014

In Brief: Google releases Chrome 23.0.1271.95 and gives Pinkie Pie $7331

(LiveHacking.Com) –  Google has released a new version of its Chrome browser (23.0.1271.95) just three days after releasing the previous version. This new update is a purely security related release and it fixes two high rated security vulnerabilities.

In Google speak, High means that the vulnerability could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also high severity.

The first vulnerability fixed, found by Jüri Aedla of the Google Chrome Security Team, was a bug in file path handling. The second, found by Pinkie Pie, was a use-after-free in media source handling. Pinkie Pie’s bug earned the researcher $7331.

Google releases Chrome 23 with some unique security bug fixes

(LiveHacking.Com) – Google has released Chrome 23 with some new features, like the option to send a ‘do not track’ request to websites, as well as some interesting security fixes. A “normal” Chrome update includes a variety of bug fixes found by Google itself and by outside security researchers who are reward (in cash) by Google for their efforts. However this time things are slight different.

First of all Google has issued a special reward to  miaubiz for non-Chrome related bug which is very severe and/or Google are able to partially work around the issue. In this case it was a way to defend against wild writes in buggy graphics drivers on Mac OS X. miaubiz got $1000 for his efforts!

This then also led to another $1000 for miaubiz for an integer bounds check issue in GPU command buffers, again only on Mac OS X.

Finally there is a out-of-bounds array access bug in v8 which was found by Atte Kettunen of OUSPG. This particular bug only affected Linux 64-bit systems only.

For the rest it was security bug squashing as normal:

  • [$3500] [157079] Medium CVE-2012-5127: Integer overflow leading to out-of-bounds read in WebP handling. Credit to Phil Turnbull.
  • [$1000] [143761] High CVE-2012-5116: Use-after-free in SVG filter handling. Credit to miaubiz.
  • [$1000] [154055] High CVE-2012-5121: Use-after-free in video layout. Credit to Atte Kettunen of OUSPG.
  • [145915] Low CVE-2012-5117: Inappropriate load of SVG subresource in img context. Credit to Felix Gröbert of the Google Security Team.
  • [149759] Medium CVE-2012-5119: Race condition in Pepper buffer handling. Credit to Fermin Serna of the Google Security Team.
  • [154465] Medium CVE-2012-5122: Bad cast in input handling. Credit to Google Chrome Security Team (Inferno).
  • [154590] [156826] Medium CVE-2012-5123: Out-of-bounds reads in Skia. Credit to Google Chrome Security Team (Inferno).
  • [155323] High CVE-2012-5124: Memory corruption in texture handling. Credit to Al Patrick of the Chromium development community.
  • [156051] Medium CVE-2012-5125: Use-after-free in extension tab handling. Credit to Alexander Potapenko of the Chromium development community.
  • [156366] Medium CVE-2012-5126: Use-after-free in plug-in placeholder handling. Credit to Google Chrome Security Team (Inferno).
  • [157124] High CVE-2012-5128: Bad write in v8. Credit to Google Chrome Security Team (Cris Neckar).

Since adobe has released a new version of its ubiquitous Flash Player to address vulnerabilities that could cause a crash and potentially be exploited by an attacker to infect a PC with malware, Chrome 23 includes the updates version of Flash Player.

Google updates Chrome to fix Critical security vulnerability in audio device handling

(LiveHacking.Com) – Google has released Chrome 22.0.1229.92 to fix several security related bugs, including a Critical security vulnerability in its audio device handling, and to update the built-in Adobe Flash player. Google paid out over $4000 to Atte Kettunen of OUSPG for his help in finding the audio related bug and a crash in Skia text rendering.

The list of security fixes are:

[$1000] [138208] High CVE-2012-2900: Crash in Skia text rendering. Credit to Atte Kettunen of OUSPG.
[$3133.7] [147499] Critical CVE-2012-5108: Race condition in audio device handling. Credit to Atte Kettunen of OUSPG.
[$500] [148692] Medium CVE-2012-5109: OOB read in ICU regex. Credit to Arthur Gerkis.
[151449] Medium CVE-2012-5110: Out-of-bounds read in compositor. Credit to Google Chrome Security Team (Inferno).
[151895] Low CVE-2012-5111: Plug-in crash monitoring was missing for Pepper plug-ins. Credit to Google Chrome Security Team (Chris Evans).

It is worth noting that Google keep the referenced bugs private until a majority of Chrome users are up to date with the fixes.

Also included in Chrome 22.0.1229.92 is the latest version of the Adobe Flash Player which was just updated to address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. The new versions in Chrome are 11.4.31.110 for Windows and Linux, and 11.4.402.287 for Macintosh.

Google releases Chrome 22 with $28,500 worth of security fixes and a workaround for a Windows kernel memory corruption

(LiveHacking.Com) – Google has released Chrome 22 with a variety of new features including a new Mouse Lock API (used mainly by 3D games) and some very important security fixes including a Critical level fix for a Windows kernel memory corruption. Under its reward scheme, which pays security researchers real money for their efforts in finding vulnerabilities in Chrome, Google paid out $28500 for vulnerabilities fixed in Chrome 22, one of which (the Windows kernel memory corruption) was award $10,000 while two UXSS  vulnerabilities earned Sergey Glazunov $15,000.

There are no details yet on the Windows kernel memory corruption or the nature of the Universal XSS flaws as Google (wisely) keeps the bug details private until a majority of users have updated. The Critical flaw in Windows (146254 / CVE-2012-2897) is credited to Eetu Luodemaa and Joni Vähämäki, both from Documill.

The UXSS errors are rated has High:

  • [143439] High CVE-2012-2889: UXSS in frame handling. Credit to Sergey Glazunov.
  • [143437] High CVE-2012-2886: UXSS in v8 bindings. Credit to Sergey Glazunov.

Other security related bugs fixed (along with the related rewards) are:

  • [$2000] [139814] High CVE-2012-2881: DOM tree corruption with plug-ins. Credit to Chamal de Silva.
  • [$1000] [135432] High CVE-2012-2876: Buffer overflow in SSE2 optimizations. Credit to Atte Kettunen of OUSPG.
  • [$1000] [140803] High CVE-2012-2883: Out-of-bounds write in Skia. Credit to Atte Kettunen of OUSPG.
  • [$1000] [143609] High CVE-2012-2887: Use-after-free in onclick handling. Credit to Atte Kettunen of OUSPG.
  • [$1000] [143656] High CVE-2012-2888: Use-after-free in SVG text references. Credit to miaubiz.
  • [$1000] [144899] High CVE-2012-2894: Crash in graphics context handling. Credit to Sławomir Błażek.
  • [Mac only] [$1000] [145544] High CVE-2012-2896: Integer overflow in WebGL. Credit to miaubiz.
  • [$500] [137707] Medium CVE-2012-2877: Browser crash with extensions and modal dialogs. Credit to Nir Moshe.
  • [$500] [139168] Low CVE-2012-2879: DOM topology corruption. Credit to pawlkt.
  • [$500] [141651] Medium CVE-2012-2884: Out-of-bounds read in Skia. Credit to Atte Kettunen of OUSPG.
  • [132398] High CVE-2012-2874: Out-of-bounds write in Skia. Credit to Google Chrome Security Team (Inferno).
  • [134955] [135488] [137106] [137288] [137302] [137547] [137556] [137606] [137635] [137880] [137928] [144579] [145079] [145121] [145163] [146462] Medium CVE-2012-2875: Various lower severity issues in the PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [137852] High CVE-2012-2878: Use-after-free in plug-in handling. Credit to Fermin Serna of Google Security Team.
  • [139462] Medium CVE-2012-2880: Race condition in plug-in paint buffer. Credit to Google Chrome Security Team (Cris Neckar).
  • [140647] High CVE-2012-2882: Wild pointer in OGG container handling. Credit to Google Chrome Security Team (Inferno).
  • [142310] Medium CVE-2012-2885: Possible double free on exit. Credit to the Chromium development community.
  • [143798] [144072] [147402] High CVE-2012-2890: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [144051] Low CVE-2012-2891: Address leak over IPC. Credit to Lei Zhang of the Chromium development community.
  • [144704] Low CVE-2012-2892: Pop-up block bypass. Credit to Google Chrome Security Team (Cris Neckar).
  • [144799] High CVE-2012-2893: Double free in XSL transforms. Credit to Google Chrome Security Team (Cris Neckar).
  • [145029] [145157] [146460] High CVE-2012-2895: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

The new mouse lock API included in Chrome 22 allows 3D applications, such as first-person games, to offer users control of the in-game 3D perspective using the mouse, without moving outside the window or bumping into the edge of their screen. Google recommends this first-person shooter demo created by Mozilla.

Google pays out $3500 to security researchers for fixes in Chrome 21.0.1180.89

(LiveHacking.Com) – Google has released Chrome 21.0.1180.89 for Linux, Mac and Windows to fix several bugs and address a number of security vulnerabilities. Under its rewards scheme, which Google set up to pay researchers who find security related bugs in the Chrome source code, Google paid out $3500 for five of the eight bugs squashed.

Three of the bugs are rated as High, which means the vulnerability could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also high severity. The first High severity bug earned $1000 for Miaubiz and was related to a bad cast with run-ins. The spotting of a bad cast in XSL transforms pocketed Nicolas Gregoire $1000 while the third High severity bug was found by Google itself, a fix to avoid stale buffers in URL loading.

The full list of bugs fixed is as follows:

  • [$500] [121347] Medium CVE-2012-2865: Out-of-bounds read in line breaking. Credit to miaubiz.
  • [$1000] [134897] High CVE-2012-2866: Bad cast with run-ins. Credit to miaubiz.
  • [135485] Low CVE-2012-2867: Browser crash with SPDY.
  • [$500] [136881] Medium CVE-2012-2868: Race condition with workers and XHR. Credit to miaubiz.
  • [137778] High CVE-2012-2869: Avoid stale buffer in URL loading. Credit to Fermin Serna of the Google Security Team.
  • [138672] [140368] Low CVE-2012-2870: Lower severity memory management issues in XPath. Credit to Nicolas Gregoire.
  • [$1000] [138673] High CVE-2012-2871: Bad cast in XSL transforms. Credit to Nicolas Gregoire.
  • [$500] [142956] Medium CVE-2012-2872: XSS in SSL interstitial. Credit to Emmanuel Bronshtein.
Note that the referenced bugs will be kept private until a majority of Chrome users have upgraded.

Google fixes two more High priority security bugs in Chrome just days after fixing 26 others

(LiveHacking.com) — At the end of July, Google released Chrome 21 which, along with new features like a new API for high-quality video and audio communication, fixed 26 security related bugs. Now just 8 days later Google has released a new version of Chrome 21 (21.0.1180.75) for Mac, Linux and Windows which addresses two High priority security issues.

The two vulnerabilities comprise of five bug reports raised against Chrome and are all to do with the built-in PDF viewer. The details are as follows:

  • [136643] [137721] [137957] High CVE-2012-2862: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [136968] [137361] High CVE-2012-2863: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

Note that the referenced bugs will be kept private until a majority of Chrome users are up to date with the fix.

Google define a bug to be of high severity if the vulnerability lets an attacker read or modify confidential data belonging to other web sites.  Additionally, Google recommend rating issues that let an attacker execute arbitrary code within the confines of the sandbox as high. Also vulnerabilities that interfere with browser security features are also high severity.

Other non-security fixes in this release include:

  • Flash videos not longer remaining in fullscreen when clicking a secondary monitor while the video is playing  (Issue: 140366).
  • Flash video full screen displays on wrong monitor (Issue: 137523)
  • REGRESSION: Rendering difference in Chrome 21 and 22 that affected on Persian Wikipedia (Issue: 139502)
  • Some known crashes (Issues: 137498138552128652140140)
  • Audio objects are not “switched” immediately (Issue: 140247)
  • Print and Print Preview ignore paper size default in printer config (Issue: 135374)
  • Candidate windows is shown in wrong place in Retina display (Issue: 139108)
  • more of the choppy and distorted audio issues  (Issue: 136624)
  • Japanese characters showing in Chinese font (Issue: 140432)
  • Video playback issues with flash-based sites (Issue: 139953)
  • Sync invalidation notification broken after restart (Issue: 139424)

 

 

Google fixes three High severity vulnerabilities in Chrome

(LiveHacking.Com) – Google has released a new version of its Chrome web browser to address three High severity vulnerabilities. According to Google’s severity ratings, a vulnerability is considered High if the vulnerability lets an attacker read or modify confidential data belonging to other web sites. Google also say that vulnerabilities that interfere with browser security features are also high severity.

Google paid out $2000 to security researcher Miaubiz for his work in finding two of the three security vulnerabilities. Miaubiz has received thousands of dollars from Google under its Chromium rewards scheme. Both Miaubiz bugs are use-after-free type bugs, one in counter handling and the other in layout height tracking. The third bug is a bad object access with JavaScript in PDF.

As well as the three security fixes, Chrome 20.0.1132.57 also includes a new version of Flash, a new version of the V8 Javascrpt engine (3.10.8.20) and some stability/bug fixes.

Google pays out $11500 to security researchers for improvements added to Chrome 20

(LiveHacking.Com) – Google has released Chrome 20 (20.0.1132.43) for Windows, Mac,  and Linux. In doing so it also paid out some $11500 in rewards to security researchers who found potential High risk security vulnerabilities in Chrome and its supporting libraries.

One securty researcher, who goes by the name of Miaubiz, stands out. In Chrome 20 he was awarded $7000 for his efforts in finding securty vulnerabilities in Chrome. The majority of the bugs found were use-after-free bugs which are often used by hackers to develop exploits. The list of Maiubiz’s bugs are:

  • [$1000] [120222] High CVE-2012-2817: Use-after-free in table section handling.
  • [$1000] [120944] High CVE-2012-2818: Use-after-free in counter layout.
  • [$1000] [124356] High CVE-2012-2823: Use-after-free in SVG resource handling.
  • [$1000] [125374] High CVE-2012-2824: Use-after-free in SVG painting.
  • [$1000] [129947] High CVE-2012-2829: Use-after-free in first-letter handling.
  • [$1000] [129951] High CVE-2012-2830: Wild pointer in array value setting.
  • [$1000] [130356] High CVE-2012-2831: Use-after-free in SVG reference handling.
Only one other bug received a bounty reward from Chrome, an integer overflow in Matroska container:
  • [$1000] [132779] High CVE-2012-2834: Integer overflow in Matroska container. Credit to Jüri Aedla.
The remaining bugs that were found and fixed didn’t get any bounty. This is because either they were discovered by Google themsleves or the low level severity of the bug didn’t warrant a  payout:
  • [118633] Low CVE-2012-2815: Leak of iframe fragment id. Credit to Elie Bursztein of Google.
  • [Windows only] [119150] [119250] High CVE-2012-2816: Prevent sandboxed processes interfering with each other. Credit to Google Chrome Security Team (Justin Schuh).
  • [120977] High CVE-2012-2819: Crash in texture handling. Credit to Ken “gets” Russell of the Chromium development community.
  • [121926] Medium CVE-2012-2820: Out-of-bounds read in SVG filter handling. Credit to Atte Kettunen of OUSPG.
  • [122925] Medium CVE-2012-2821: Autofill display problem. Credit to “simonbrown60”.
  • [various] Medium CVE-2012-2822: Misc. lower severity OOB read issues in PDF. Credit to awesome ASAN and various Googlers (Kostya Serebryany, Evgeniy Stepanov, Mateusz Jurczyk, Gynvael Coldwind).
  • [128688] Medium CVE-2012-2826: Out-of-bounds read in texture conversion. Credit to Google Chrome Security Team (Inferno).
  • [Mac only] [129826] Low CVE-2012-2827: Use-after-free in Mac UI. Credit to the Chromium development community (Dharani Govindan).
  • [129857] High CVE-2012-2828: Integer overflows in PDF. Credit to Mateusz Jurczyk of Google Security Team and Google Chrome Security Team (Chris Evans).
  • [Windows only] [130276] Low CVE-2012-2764: Unqualified load of metro DLL. Credit to Moshe Zioni of Comsec Consulting.
  • [131553] High CVE-2012-2832: Uninitialized pointer in PDF image codec. Credit to Mateusz Jurczyk of Google Security Team.
  • [132156] High CVE-2012-2833: Buffer overflow in PDF JS API. Credit to Mateusz Jurczyk of Google Security Team.
Google, like all major software, uses a range of external libraries which are also used by other projects. Google paid out $3500 for issues with a wider scope than just Chrome:
  • [$500] [127417] Medium CVE-2012-2825: Wild read in XSL handling. Credit to Nicholas Gregoire.
  • [64-bit Linux only] [$3000] [129930] High CVE-2012-2807: Integer overflows in libxml. Credit to Jüri Aedla.

Note that the referenced bugs are kept private until a majority of Chrome users are up to date with the fixes.

Google Fixes Critical Vulnerabilities in Chrome 19.0.1084.52

(LiveHacking.Com) – Google has released Chrome 19.0.1084.52 for Windows, Linux and Mac and in doing so it has fixed two Critical security vulnerabilities and patched nine other High priority security related bugs. Historically Google are quick to release new versions of its web browser and release frequent incremental updates to the current stable version of Chrome to patch any security vulnerabilities discovered. To help it do this, Google has a rewards scheme where it pays hard cash to developers and security researcher who find vulnerabilities. For this release Google paid out $3837.

The first Critical bug squashed is a  browser memory corruption with websockets over SSL. Memory corruptions are often used by attackers to create exploits, especially exploits which can execute arbitrary code. The second Critical fix is a use-after-free in browser cache. Like memory corruptions, it is theoretically possible to create an exploit from use-after-free bugs . This particular bug was found by “efbiaiinzinz” who was rewarded $1337 by Google.

The full list of fixes, along with credits and rewards, is as follows:

  • [117409] High CVE-2011-3103: Crashes in v8 garbage collection. Credit to the Chromium development community (Brett Wilson).
  • [118018] Medium CVE-2011-3104: Out-of-bounds read in Skia. Credit to Google Chrome Security Team (Inferno).
  • [$1000] [120912] High CVE-2011-3105: Use-after-free in first-letter handling. Credit to miaubiz.
  • [122654] Critical CVE-2011-3106: Browser memory corruption with websockets over SSL. Credit to the Chromium development community (Dharani Govindan).
  • [124625] High CVE-2011-3107: Crashes in the plug-in JavaScript bindings. Credit to the Chromium development community (Dharani Govindan).
  • [$1337] [125159] Critical CVE-2011-3108: Use-after-free in browser cache. Credit to “efbiaiinzinz”.
  • [Linux only] [$1000] [126296] High CVE-2011-3109: Bad cast in GTK UI. Credit to Micha Bartholomé.
  • [126337] [126343] [126378] [127349] [127819] [127868] High CVE-2011-3110: Out of bounds writes in PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
  • [$500] [126414] Medium CVE-2011-3111: Invalid read in v8. Credit to Christian Holler.
  • [127331] High CVE-2011-3112: Use-after-free with invalid encrypted PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
  • [127883] High CVE-2011-3113: Invalid cast with colorspace handling in PDF. Credit to Mateusz Jurczyk of the Google Security Team, with contributions by Gynvael Coldwind of the Google Security Team.
  • [128014] High CVE-2011-3114: Buffer overflows with PDF functions. Credit to Google Chrome Security Team (scarybeasts).
  • [$1000] [128018] High CVE-2011-3115: Type corruption in v8. Credit to Christian Holler.

Note that the referenced bugs are kept private until a majority of Chrome users are up to date with the fixes.

 

Google Releases Chrome 19 with 19 Security Fixes

(LiveHacking.Com) – The development of Google’s Chrome browser continues at a fast pace. Just six weeks after the release of Chrome 18, Google have now released Chrome 19. It boasts a new tab synchronization feature along with 19 security related fixes. None of the fixes in this new release are rated Critical but there are seven High severity fixes. High severity, according to Google’s definition, means that the vulnerability lets a hacker read or modify confidential data belonging to other web sites or lets an attacker execute arbitrary code within the confines of the Chrome sandbox. Vulnerabilities that interfere with browser security features are also considered High severity.

Four of the seven High severity issues are use-after-free issues. These bugs are can potentially be exploited to allow an attacker to run arbitrary code. Of the remaining three, two are out-of-bounds writes (one in the OGG container and one related to PDF). Again these types of errors are a foothold for a fully working exploit. The last High severity error is an invalid write in v8 regex. In total Google paid out $4000 in bounties to the external security researchers who found these errors.

The full list of security related fixes is:

  • [112983] Low CVE-2011-3083: Browser crash with video + FTP. Credit to Aki Helin of OUSPG.
  • [113496] Low CVE-2011-3084: Load links from internal pages in their own process. Credit to Brett Wilson of the Chromium development community.
  • [118374] Medium CVE-2011-3085: UI corruption with long autofilled values. Credit to “psaldorn”.
  • [$1000] [118642] High CVE-2011-3086: Use-after-free with style element. Credit to Arthur Gerkis.
  • [118664] Low CVE-2011-3087: Incorrect window navigation. Credit to Charlie Reis of the Chromium development community.
  • [$500] [120648] Medium CVE-2011-3088: Out-of-bounds read in hairline drawing. Credit to Aki Helin of OUSPG.
  • [$1000] [120711] High CVE-2011-3089: Use-after-free in table handling. Credit to miaubiz.
  • [$500] [121223] Medium CVE-2011-3090: Race condition with workers. Credit to Arthur Gerkis.
  • [121734] High CVE-2011-3091: Use-after-free with indexed DB. Credit to Google Chrome Security Team (Inferno).
  • [$1000] [122337] High CVE-2011-3092: Invalid write in v8 regex. Credit to Christian Holler.
  • [$500] [122585] Medium CVE-2011-3093: Out-of-bounds read in glyph handling. Credit to miaubiz.
  • [122586] Medium CVE-2011-3094: Out-of-bounds read in Tibetan handling. Credit to miaubiz.
  • [$1000] [123481] High CVE-2011-3095: Out-of-bounds write in OGG container. Credit to Hannu Heikkinen.
  • [Linux only] [123530] Low CVE-2011-3096: Use-after-free in GTK omnibox handling. Credit to Arthur Gerkis.
  • [123733] [124182] High CVE-2011-3097: Out-of-bounds write in sampled functions with PDF. Credit to Kostya Serebryany of Google and Evgeniy Stepanov of Google.
  • [Windows only] [124216] Low CVE-2011-3098: Bad search path for Windows Media Player plug-in. Credit to Haifei Li of Microsoft and MSVR (MSVR:159).
  • [124479] High CVE-2011-3099: Use-after-free in PDF with corrupt font encoding name. Credit to Mateusz Jurczyk of Google Security Team and Gynvael Coldwind of Google Security Team.
  • [124652] Medium CVE-2011-3100: Out-of-bounds read drawing dash paths. Credit to Google Chrome Security Team (Inferno).

Note that the referenced bugs may be kept private, by Google, until a majority of users are using the latest version of Chrome.

For the astute amongst you, the above list has 18 bullet points, but CVE-2011-3097: “Out-of-bounds write in sampled functions with PDF” covers two bugs making it 19 fixes for Chrome 19!

Having said that, Google also released information on two bugs fixed outside of Chrome which could have an impact on the security of Chrome itself:

  • [Linux only] [$500] [118970] Medium CVE-2011-3101: Work around Linux Nvidia driver bug. Credit to Aki Helin of OUSPG.
  • [$1500] [125462] High CVE-2011-3102: Off-by-one out-of-bounds write in libxml. Credit to Jüri Aedla.

Finally, Google paid out over $9000 to researchers who found security holes in Chrome 19 during its development.