We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Google patches 11 flaws in Chrome

Update also adds non-security features to browser

Google has patched 11 bugs in the Windows version of its Chrome web browser.

Among the flaws patched is one that earned its finder the first $1,337 (£882) cheque from the company's new bug bounty program.

Like Apple, which updated Safari last week, Google beefed up the security of its browser just days before the Pwn2Own browser hacking contest was to kick off in Canada.

The update to Chrome 4.1.249.1036 fixes six flaws rated 'high', the second-most-severe ranking in Google's four-step threat system, along with three 'medium' and two 'low' bugs.

Danish vulnerability tracker Secunia rated the update as "highly critical".

Although Google typically hides technical details of the most serious vulnerabilities when it issues an update - it blocks bug tracker entries to prevent attackers from using the information - all of the 11 bugs are behind the wall this time.

"The referenced bugs may be kept private until a majority of our users are up to date with the fix," explained Orit Mazor, a technical program manager with the Chrome team, in a blog.

A bug in WebKit, the open-source browser engine that powers Chrome as well as Safari, earned researcher Sergey Glazunov a check for $1,337 (£882), the maximum Google pays for vulnerabilities as part of a bounty program that debuted in January.

Most flaws earn their finders just $500 (£330), but "particularly severe or particularly clever" bugs reap rewards of $1,337 each.

The amount is a reference to 'leet', a kind of geek-speak used by some researchers. 'Leet' is rendered as '1337'.

Other vulnerabilities were credited to Mark Dowd, a noted browser and OS vulnerability researcher who is working under contract for Google, Robert 'RSnake' Hansen, CEO of SecTheory and Aki Helin of OUSPG (Oulu University Secure Programming Group), Oulu University in Finland.

Altogether, Google paid out $3,337 (£2,204) in bounties for the bugs it patched in this update.

Only the Windows 'stable' channel - a term Google uses in place of 'final' - was patched, the Mac and Linux versions of Chrome have not yet left the 'beta' channel.

Google also added several non-security features to the update, including integrated language translation and new private browsing settings, that had made their way into the beta earlier this month.

Chrome is the second browser to be patched in seven days. On March 11, Apple fixed 16 flaws in Safari.

Both browsers' updates were timely. Starting next Wednesday, Chrome, Safari, Microsoft 's Internet Explorer 8 (IE8) and Mozilla's Firefox will go head-to-head with an unknown number of hackers who will try to exploit unpatched vulnerabilities and win $40,000 in cash at Pwn2Own, the annual contest sponsored by 3Com's TippingPoint.

Aaron Portnoy, a security research team lead at TippingPoint and the organiser of this year's Pwn2Own, predicted that Safari would fall to attack on the second of the contest's three days, while Chrome would be the sole survivor.

The last time Google patched the stable build of Chrome for Windows was in late January.

Chrome is now the third-most-used browser on the planet, having grabbed the number three spot from Safari in December 2009, and as of last month, accounted for approximately 6 percent of all browsers in use, according to web measurement firm Net Applications.

See also: Chrome offers cookie control on specific sites


IDG UK Sites

Nexus 6 vs Samsung Galaxy Note 4 comparison: What's the best Android phablet?

IDG UK Sites

The iPhone is doomed. Doomed to be marginally less successful than a very successful thing.

IDG UK Sites

How to prototype native mobile apps without writing code

IDG UK Sites

How to prepare for and update to OS X Yosemite: Get your Mac ready to download & install Apple's...