November 23, 2014

Google releases Chrome 22 with $28,500 worth of security fixes and a workaround for a Windows kernel memory corruption

(LiveHacking.Com) – Google has released Chrome 22 with a variety of new features including a new Mouse Lock API (used mainly by 3D games) and some very important security fixes including a Critical level fix for a Windows kernel memory corruption. Under its reward scheme, which pays security researchers real money for their efforts in finding vulnerabilities in Chrome, Google paid out $28500 for vulnerabilities fixed in Chrome 22, one of which (the Windows kernel memory corruption) was award $10,000 while two UXSS  vulnerabilities earned Sergey Glazunov $15,000.

There are no details yet on the Windows kernel memory corruption or the nature of the Universal XSS flaws as Google (wisely) keeps the bug details private until a majority of users have updated. The Critical flaw in Windows (146254 / CVE-2012-2897) is credited to Eetu Luodemaa and Joni Vähämäki, both from Documill.

The UXSS errors are rated has High:

  • [143439] High CVE-2012-2889: UXSS in frame handling. Credit to Sergey Glazunov.
  • [143437] High CVE-2012-2886: UXSS in v8 bindings. Credit to Sergey Glazunov.

Other security related bugs fixed (along with the related rewards) are:

  • [$2000] [139814] High CVE-2012-2881: DOM tree corruption with plug-ins. Credit to Chamal de Silva.
  • [$1000] [135432] High CVE-2012-2876: Buffer overflow in SSE2 optimizations. Credit to Atte Kettunen of OUSPG.
  • [$1000] [140803] High CVE-2012-2883: Out-of-bounds write in Skia. Credit to Atte Kettunen of OUSPG.
  • [$1000] [143609] High CVE-2012-2887: Use-after-free in onclick handling. Credit to Atte Kettunen of OUSPG.
  • [$1000] [143656] High CVE-2012-2888: Use-after-free in SVG text references. Credit to miaubiz.
  • [$1000] [144899] High CVE-2012-2894: Crash in graphics context handling. Credit to Sławomir Błażek.
  • [Mac only] [$1000] [145544] High CVE-2012-2896: Integer overflow in WebGL. Credit to miaubiz.
  • [$500] [137707] Medium CVE-2012-2877: Browser crash with extensions and modal dialogs. Credit to Nir Moshe.
  • [$500] [139168] Low CVE-2012-2879: DOM topology corruption. Credit to pawlkt.
  • [$500] [141651] Medium CVE-2012-2884: Out-of-bounds read in Skia. Credit to Atte Kettunen of OUSPG.
  • [132398] High CVE-2012-2874: Out-of-bounds write in Skia. Credit to Google Chrome Security Team (Inferno).
  • [134955] [135488] [137106] [137288] [137302] [137547] [137556] [137606] [137635] [137880] [137928] [144579] [145079] [145121] [145163] [146462] Medium CVE-2012-2875: Various lower severity issues in the PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [137852] High CVE-2012-2878: Use-after-free in plug-in handling. Credit to Fermin Serna of Google Security Team.
  • [139462] Medium CVE-2012-2880: Race condition in plug-in paint buffer. Credit to Google Chrome Security Team (Cris Neckar).
  • [140647] High CVE-2012-2882: Wild pointer in OGG container handling. Credit to Google Chrome Security Team (Inferno).
  • [142310] Medium CVE-2012-2885: Possible double free on exit. Credit to the Chromium development community.
  • [143798] [144072] [147402] High CVE-2012-2890: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [144051] Low CVE-2012-2891: Address leak over IPC. Credit to Lei Zhang of the Chromium development community.
  • [144704] Low CVE-2012-2892: Pop-up block bypass. Credit to Google Chrome Security Team (Cris Neckar).
  • [144799] High CVE-2012-2893: Double free in XSL transforms. Credit to Google Chrome Security Team (Cris Neckar).
  • [145029] [145157] [146460] High CVE-2012-2895: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

The new mouse lock API included in Chrome 22 allows 3D applications, such as first-person games, to offer users control of the in-game 3D perspective using the mouse, without moving outside the window or bumping into the edge of their screen. Google recommends this first-person shooter demo created by Mozilla.

iOS 5.1.1 Fixes Address Bar Spoofing Vulnerability and WebKit Bugs

(LiveHacking.Com) – Apple have released iOS 5.1.1 for the iPhone, iPad and iPod Touch to add improvements and bug fixes while fixing a number of critical security vulnerabilities.

The first vulnerability fixed is the address bar spoofing bug which we reported on back in March. David Vieira-Kurz of MajorSecurity discovered an address bar spoofing vulnerability in WebKit  that allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing. The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method.

The next vulnerability fixed by Apple is the cross-site scripting issue found by Sergey Glazunov that earned him $60,000 from Google under its Pwnium: rewards for exploits contest. Details of the exact nature of Sergey’s exploit are still unavailable but it is known that WebKit doesn’t properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a “Universal XSS (UXSS)” issue.

The final fix is also shrouded in mystery. CVE-2012-0672, which was found by Adam Barth and Abhishek Arya of the Google Chrome Security Team, is a memory corruption issue in WebKit that, if exploited, would allow an attacker to create a malicious website that could crash Safari or execute arbitrary code. However that is all that is known!

iOS 5.1.1 is available for the  iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad and iPad 2.

Google Hands Out $4500 in Rewards for Chrome 17.0.963.83

(LiveHacking.Com) – Google has released Chrome 17.0.963.83 to fix several ‘High’ level security bugs. In doing so it handed out $4500 to security researchers who found and reported security related bugs in Google’s web browser. The new update also include the start of hardening measures based on study of the exploits submitted to the Pwnium competition.

Security fixes and rewards:

  • [$1000] [113902] High CVE-2011-3050: Use-after-free with first-letter handling. Credit to miaubiz.
  • [116162] High CVE-2011-3045: libpng integer issue from upstream. Credit to Glenn Randers-Pehrson of the libpng project.
  • [$1000] [116461] High CVE-2011-3051: Use-after-free in CSS cross-fade handling. Credit to Arthur Gerkis.
  • [116637] High CVE-2011-3052: Memory corruption in WebGL canvas handling. Credit to Ben Vanik of Google.
  • [$1000] [116746] High CVE-2011-3053: Use-after-free in block splitting. Credit to miaubiz.
  • [117418] Low CVE-2011-3054: Apply additional isolations to webui privileges. Credit to Sergey Glazunov.
  • [117736] Low CVE-2011-3055: Prompt in the browser native UI for unpacked extension installation. Credit to PinkiePie.
  • [$2000] [117550] High CVE-2011-3056: Cross-origin violation with “magic iframe”. Credit to Sergey Glazunov.
  • [$500] [117794] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler.

Google also listed a low severity issue that was fixed in a previous patch but the company had forgotten to issue a proper credit:

  • [108648] Low CVE-2011-3049: Extension web request API can interfere with system requests. Credit to Michael Gundlach.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix.

 

Apple Includes iOS 5.1 WebKit Fixes in Safari

(LiveHacking.Com) – Apple recently released iOS 5.1 with over 60 fixes to WebKit, the web rendering engine used by the iPhone’s operating system. Now Apple has released and update to Safari (its web browser for Windows and Mac) with many an almost identical set of fixes. One thing made very clear from this is that Apple are truly using the same code across its mobile and desktop versions of it Safari browser and that vulnerabilities found by Google in its web browser often apply to Safari in iOS and on the desktop.

As with the iOS update, most (if not all) of these WebKit errors have been previously fixed in Google’s Chrome web browser with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Sergey Glazunov. However Apple did do its fair share of the work with a good portion of the WebKit vulnerabilities being discovered by Apple themselves.

The majority of the WebKit errors are described by Apple, in its security advisory, as memory corruption issues that can be exploited if the user visits a specially crafted web page. Rendering the page may lead to an unexpected application termination or arbitrary code execution. Other fixes included in Safari 5.1.4 include:

  • Look-alike characters in a URL could be used to masquerade a website. The International Domain Name (IDN) support in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue is addressed through an improved domain name validity check. This issue does not affect OS X systems.
  • Visiting a maliciously crafted website may lead to the disclosure of cookies. A cross-origin issue existed in WebKit, which may allow cookies to be disclosed across origins.
  • Visiting a maliciously crafted website and dragging content with the mouse may lead to a cross-site scripting attack. A cross-origin issue existed in WebKit, which may allow content to be dragged and dropped across origins.
  • Cookies may be set by third-party sites, even when Safari is configured to block them. An issue existed in the enforcement of its cookie policy. Third-party websites could set cookies if the “Block Cookies” preference in Safari was set to the default setting of “From third parties and advertisers”.
  • HTTP authentication credentials may be inadvertently disclosed to another site. If a site uses HTTP authentication and redirects to another site, the authentication credentials may be sent to the other site.

Still Vulnerable?

What is currently unknown is if Safari is vulnerable to the two critical vulnerabilities found in Chrome last week during the CanSecWest security conference for which Google paid out over $120,000 to Sergey Glazunov and a researcher known as PinkiePie (aka PwniePie).

Download

Safari 5.1.4 is available to download, for Mac and Winodws, from Apple’s Safari page.

Google Updates Chrome and then Updates it Again

(LiveHacking.Com) – Google has released two quick successive updates to its Chrome browser following multiple vulnerabilities found and exploited during Pwnium. In recent years Google has sponsored rewards for Chrome exploits demonstrated during the CanSecWest security conference, and this year was no different. The idea is to rewards those that develop a fully functional exploit as to do so is significantly more work than just finding and reporting a potential security bug. Google made a pot available of $1,000,000 with the top prize being $60,000 for a full Chrome exploit demonstrated on a fully patched Windows 7 machine.

The first release by Google was 17.0.963.78 to fix a vulnerability discovered by Sergey Glazunov. The critical vulneravility, which used errors in the UXSS and the handling of history data, earned Sergey the top amount of $60,000.

Two days later Google issued 17.0.963.79 to fix a vulnerability found by PinkiePie (aka PwniePie) for an errant plug-in load and GPU process memory corruption. Jason Kersey from the Google Chrome team is quoted as calling the exploit “a beautiful piece of work.”

The full list of changes as listed by Google are:

  • [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.
  • [Like a b-b-b-b-boss!!! $60,000] [117620] [117656] Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption. Credit to PinkiePie.

We’re delighted at the success of Pwnium and the ability to study full exploits. We anticipate landing additional changes and hardening measures for both CVE-2011-3046 and CVE-2011-3047 in the near future. We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwnium submissions in the future.

Google Releases Chrome 15.0.874.102 – Pays Out $26,511 To Bug Hunters

(LiveHacking.Com) – Google has released Chrome 15 for Windows, OS X and Linux with a redesigned  New Tab page and over $26,000 of security fixes. The biggest bug bounty went to Sergey Glazunov for bugs related to cross-origin policy violations. Google paid him a little over $12,000 for his efforts.

None of the bugs fixed were rated “Critical”, however 11 of the 18 vulnerabilities were rated “high,” while 3 were ranked as “medium” and another four were tagged as “low.”

The full list of  security related bugs fixed (along with any reward payment) is:

  • [$500] [86758] High CVE-2011-2845: URL bar spoof in history handling. Credit to Jordi Chancel.
  • [88949] Medium CVE-2011-3875: URL bar spoof with drag+drop of URLs. Credit to Jordi Chancel.
  • [90217] Low CVE-2011-3876: Avoid stripping whitespace at the end of download filenames. Credit to Marc Novak.
  • [91218] Low CVE-2011-3877: XSS in appcache internals page. Credit to Google Chrome Security Team (Tom Sepez) plus independent discovery by Juho Nurminen.
  • [94487] Medium CVE-2011-3878: Race condition in worker process initialization. Credit to miaubiz.
  • [95374] Low CVE-2011-3879: Avoid redirect to chrome scheme URIs. Credit to Masato Kinugawa.
  • [95992] Low CVE-2011-3880: Don’t permit as a HTTP header delimiter. Credit to Vladimir Vorontsov, ONsec company.
  • [$12174] [96047] [96885] [98053] [99512] [99750] High CVE-2011-3881: Cross-origin policy violations. Credit to Sergey Glazunov.
  • [96292] High CVE-2011-3882: Use-after-free in media buffer handling. Credit to Google Chrome Security Team (Inferno).
  • [$1000] [96902] High CVE-2011-3883: Use-after-free in counter handling. Credit to miaubiz.
  • [97148] High CVE-2011-3884: Timing issues in DOM traversal. Credit to Brian Ryner of the Chromium development community.
  • [$6337] [97599] [98064] [98556] [99294] [99880] [100059] High CVE-2011-3885: Stale style bugs leading to use-after-free. Credit to miaubiz.
  • [$2000] [98773] [99167] High CVE-2011-3886: Out of bounds writes in v8. Credit to Christian Holler.
  • [$1500] [98407] Medium CVE-2011-3887: Cookie theft with javascript URIs. Credit to Sergey Glazunov.
  • [$1000] [99138] High CVE-2011-3888: Use-after-free with plug-in and editing. Credit to miaubiz.
  • [$2000] [99211] High CVE-2011-3889: Heap overflow in Web Audio. Credit to miaubiz.
  • [99553] High CVE-2011-3890: Use-after-free in video source handling. Credit to Ami Fischman of the Chromium development community.
  • [100332] High CVE-2011-3891: Exposure of internal v8 functions. Credit to Steven Keuchel of the Chromium development community plus independent discovery by Daniel Divricean.
Note that the referenced bugs are kept private by Google until a majority of Chrome users have updated.
It is also interesting to note that bugs [94487], [96292], [96902], [97599], [98064], [98556], [99294], [100059], [99138] and [99211] were detected using AddressSanitizer.

Apple Releases iTunes 10.5 With Support for iOS 5 and Fixes for Multiple Vulnerabilities

(LiveHacking.Com) – Apple has released iTunes 10.5 in preparation for the imminent release of iOS5. Along with support for iCloud and wireless syncing, iTunes 10.5 contains a large number of security related fixes for the Windows version. The OS X version contains all the new features but not the security fixes as Apple is planning to release a separate system wide update for OS X to address these vulnerabilities, although some have already been addressed in previous security updates by Apple.

The update fixes 79 vulnerabilities of which 73 are within WebKit, the HTML rendering engine found in Safari and Google Chrome, which Apple also uses to power iTunes. Since fixes are also applied to WebKit via Google’s Vulnerability Rewards Program, names like Sergey Glazunov (famous for his work on Chrome) also appear in the list of contributors.

Other than the WebKit fixes, the following vulnerabilities were patched:

  • A memory corruption issue existed in the handling of string tokenization. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.
  • An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in the handling of audio stream encoded with the advanced audio code. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in the handling of H.264 encoded movie files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.
  • A heap buffer overflow existed in ImageIO’s handling of TIFF images. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
  • A reentrancy issue existed in ImageIO’s handling of TIFF images. This issue does not affect Mac OS X systems.

Google Pays Out $10,000 to Make Latest Version of Chrome Secure

(LiveHacking.Com) – Google has released the latest version of Chrome (14.0.835.202) with Adobe Flash Player 11 and $10,000 worth of security fixes. Google has been running its Chromium Security Rewards program for quite some time now and has quashed hundreds of security related bugs thanks to the contributions from coders all over the world.

Some of these contributors have become semi-famous and one in particular has a long standing record of finding security related bugs in Chrome. His name is Sergey Glazunov and with this release Google paid him over $8000 for finding three different bugs, one of which earned him $4500 alone.

The security bugs killed in this version include:

  • [$1000] [93788] High CVE-2011-2876: Use-after-free in text line box handling. Credit to miaubiz.
  • [$1000] [95072] High CVE-2011-2877: Stale font in SVG text handling. Credit to miaubiz.
  • [$2000] [95671] High CVE-2011-2878: Inappropriate cross-origin access to the window prototype. Credit to Sergey Glazunov.
  • [96150] High CVE-2011-2879: Lifetime and threading issues in audio node handling. Credit to Google Chrome Security Team (Inferno).
  • [$4500] [97451] [97520] [97615] High CVE-2011-2880: Use-after-free in the v8 bindings. Credit to Sergey Glazunov.
  • [$1500] [97784] High CVE-2011-2881: Memory corruption with v8 hidden objects. Credit to Sergey Glazunov.
  • [98089] Critical CVE-2011-3873: Memory corruption in shader translator. Credit to Zhenyao Mo of the Chromium development community.
Note that the referenced bugs are kept private by Google until a majority of Chrome users have updated.

Google Chrome 14 Out

(LiveHacking.Com) – Google has released Chrome 14 for all platforms.  14.0.835.163, to give it its full title,  contains a number of security fixes as well as new functionality.

The list of security fixes is impressively long with Google paying out over $14,000 in rewards to the coders that spotted and reported many of the security issues.

  • [49377] High CVE-2011-2835: Race condition in the certificate cache. Credit to Ryan Sleevi of the Chromium development community.
  • [51464] Low CVE-2011-2836: Infobar the Windows Media Player plug-in to avoid click-free access to the system Flash. Credit to electronixtar.
  • [Linux only] [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to wbrana.
  • [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when loading plug-ins. Credit to Michal Zalewski of the Google Security Team.
  • [76771] High CVE-2011-2839: Crash in v8 script object wrappers. Credit to Kostya Serebryany of the Chromium development community.
  • [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual user interaction. Credit to kuzzcc.
  • [$500] [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to Mario Gomes.
  • [Mac only] [80680] Low CVE-2011-2842: Insecure lock file handling in the Mac installer. Credit to Aaron Sigel of vtty.com.
  • [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers. Credit to Kostya Serebryany of the Chromium development community.
  • [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit to Mario Gomes.
  • [$1000] [89219] High CVE-2011-2846: Use-after-free in unload event handling. Credit to Arthur Gerkis.
  • [$1000] [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to miaubiz.
  • [$500] [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit to Jordi Chancel.
  • [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets. Credit to Arthur Gerkis.
  • [$500] [89991] Medium CVE-2011-3234: Out-of-bounds read in box handling. Credit to miaubiz.
  • [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters. Credit to miaubiz.
  • [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling. Credit to Google Chrome Security Team (Inferno).
  • [$500] [91120] High CVE-2011-2852: Off-by-one in v8. Credit to Christian Holler.
  • [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit to Google Chrome Security Team (SkyLined).
  • [$1000] [92651] [94800] High CVE-2011-2854: Use-after-free in ruby / table style handing. Credit to Sławomir Błażek, and independent later discoveries by miaubiz and Google Chrome Security Team (Inferno).
  • [$1000] [92959] High CVE-2011-2855: Stale node in stylesheet handling. Credit to Arthur Gerkis.
  • [$2000] [93416] High CVE-2011-2856: Cross-origin bypass in v8. Credit to Daniel Divricean.
  • [$1000] [93420] High CVE-2011-2857: Use-after-free in focus controller. Credit to miaubiz.
  • [$1000] [93472] High CVE-2011-2834: Double free in libxml XPath handling. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
  • [93497] Medium CVE-2011-2859: Incorrect permissions assigned to non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm of Recurity Labs.
  • [$1000] [93587] High CVE-2011-2860: Use-after-free in table style handling. Credit to miaubiz.
  • [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki Helin of OUSPG.
  • [$2337] [93906] High CVE-2011-2862: Unintended access to v8 built-in objects. Credit to Sergey Glazunov.
  • [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan characters. Credit to Google Chrome Security Team (Inferno).
  • [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays. Credit to Google Chrome Security Team (Inferno).
  • [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a session. Credit to Nishant Yadant of VMware and Craig Chamberlain (@randomuserid).
  • [$1000] [95920] High CVE-2011-2875: Type confusion in v8 object sealing. Credit to Christian Holler.

The highest payout went to Sergey Glazunov for finding a unintended access to v8 built-in objects. He got $2337 for his efforts.

Note that the referenced bugs are kept private by Google until a majority of users are up to date with the fix.

New Functionality
Chrome 14 contains two significant technologies which allow developers to create even more powerful web apps and games:

  • The Web Audio API enables developers to add fancy audio effects such as room simulation and spatialization.
  • Native Client is an open-source technology which allows C and C++ code to be seamlessly and securely executed inside the browser. Currently, Native Client only supports applications listed in the Chrome Web Store, but we are working to remove this limitation as soon as possible.

OS X Lion
For OS X Lion users Chrome now uses Lion’s overlay scrollbars, which appear only while you’re scrolling. We’ve also added initial support for Lion’s full-screen mode, triggered by a full-screen button or Ctrl+Shift+F.

Google Fixes Critical Memory Corruption Vulnerability in Chrome

(LiveHacking.Com) – Google has released Chrome 13.0.782.215 for all platforms. This version addresses multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.

Security
Google gave out over $8,000 in rewards for this version with the biggest reward going to Sergey Glazunov for an integer overflow bug. The only critical vulnerability listed for this release is a memory corruption in the vertex handling. It was found by Michael Braithwaite of Turbulenz Limited and he was rewarded $1337 for his efforts.

The security fixes are:

  • [$1000] [Windows only] [72492] Medium CVE-2011-2822: URL parsing confusion on the command line. Credit to Vladimir Vorontsov, ONsec company.
  • [82552] High CVE-2011-2823: Use-after-free in line box handling. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by miaubiz.
  • [$1000] [88216] High CVE-2011-2824: Use-after-free with counter nodes. Credit to miaubiz.
  • [88670] High CVE-2011-2825: Use-after-free with custom fonts. Credit to wushi of team509 reported through ZDI (ZDI-CAN-1283), plus indepdendent later discovery by miaubiz.
  • [$1000] [89402] High CVE-2011-2821: Double free in libxml XPath handling. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
  • [$1000] [87453] High CVE-2011-2826: Cross-origin violation with empty origins. Credit to Sergey Glazunov.
  • [$1337] [Windows only] [89836] Critical CVE-2011-2806: Memory corruption in vertex handing. Credit to Michael Braithwaite of Turbulenz Limited.
  • [$1000] [90668] High CVE-2011-2827: Use-after-free in text searching. Credit to miaubiz.
  • [91517] High CVE-2011-2828: Out-of-bounds write in v8. Credit to Google Chrome Security Team (SkyLined).
  • [$1500] [32-bit only] [91598] High CVE-2011-2829: Integer overflow in uniform arrays. Credit to Sergey Glazunov.
  • [$1000] [Linux only] [91665] High CVE-2011-2839: Buggy memset() in PDF. Credit to Aki Helin of OUSPG.

Note that the referenced bugs are kept private by Google until a majority of users are up to date with the fix.