Google splashes $80k on Chrome 40 bug splatting

17 critical fixes patched

Google has patched 62 security vulnerabilities in Chrome 40 and handed out US$88,500 to bug hunters who spotted the problems.

Of those fixes, 17 swatted dangerous memory corruption and use-after-free vulnerabilities in Chrome elements including FFmpeg, ICU and DOM.

The Chocolate Factory's digital guardians pushed the flagship browser into the stable channel for Windows, Mac, and Linux. They
noted that the Chrome App's info dialog and error messages were updated.

Researcher Yangdingning made $9000 while Cloudfuzzer clocked $12,000 of the $53,500 bug pool. A further $35,000 was handed out for other unspecified security developments.

Here's who scored what, for what:

  • [$5000][430353] High CVE-2014-7923: Memory corruption in ICU. Credit to yangdingning.
  • [$4500][435880] High CVE-2014-7924: Use-after-free in IndexedDB. Credit to Collin Payne.
  • [$4000][434136] High CVE-2014-7925: Use-after-free in WebAudio. Credit to mark.buer.
  • [$4000][422824] High CVE-2014-7926: Memory corruption in ICU. Credit to yangdingning.
  • [$3500][444695] High CVE-2014-7927: Memory corruption in V8. Credit to Christian Holler.
  • [$3500][435073] High CVE-2014-7928: Memory corruption in V8. Credit to Christian Holler.
  • [$3000][442806] High CVE-2014-7930: Use-after-free in DOM. Credit to cloudfuzzer.
  • [$3000][442710] High CVE-2014-7931: Memory corruption in V8. Credit to cloudfuzzer.
  • [$2000][443115] High CVE-2014-7929: Use-after-free in DOM. Credit to cloudfuzzer.
  • [$2000][429666] High CVE-2014-7932: Use-after-free in DOM. Credit to Atte Kettunen of OUSPG.
  • [$2000][427266] High CVE-2014-7933: Use-after-free in FFmpeg. Credit to aohelin.
  • [$2000][427249] High CVE-2014-7934: Use-after-free in DOM. Credit to cloudfuzzer.
  • [$2000][402957] High CVE-2014-7935: Use-after-free in Speech. Credit to Khalil Zhani.
  • [$1500][428561] High CVE-2014-7936: Use-after-free in Views. Credit to Christoph Diehl.
  • [$1500][419060] High CVE-2014-7937: Use-after-free in FFmpeg. Credit to Atte Kettunen of OUSPG.
  • [$1000][416323] High CVE-2014-7938: Memory corruption in Fonts. Credit to Atte Kettunen of OUSPG.
  • [$1000][399951] High CVE-2014-7939: Same-origin-bypass in V8. Credit to Takeshi Terada.
  • [$1000][433866] Medium CVE-2014-7940: Uninitialized-value in ICU. Credit to miaubiz.
  • [$1000][428557] Medium CVE-2014-7941: Out-of-bounds read in UI. Credit to Atte Kettunen of OUSPG and Christoph Diehl.
  • [$1000][426762] Medium CVE-2014-7942: Uninitialized-value in Fonts. Credit to miaubiz.
  • [$1000][422492] Medium CVE-2014-7943: Out-of-bounds read in Skia. Credit to Atte Kettunen of OUSPG.
  • [$1000][418881] Medium CVE-2014-7944: Out-of-bounds read in PDFium. Credit to cloudfuzzer.
  • [$1000][414310] Medium CVE-2014-7945: Out-of-bounds read in PDFium. Credit to cloudfuzzer.
  • [$1000][414109] Medium CVE-2014-7946: Out-of-bounds read in Fonts. Credit to miaubiz.
  • [$500][430566] Medium CVE-2014-7947: Out-of-bounds read in PDFium. Credit to fuzztercluck.
  • [$500][414026] Medium CVE-2014-7948: Caching error in AppCache. Credit to jiayaoqijia.

®

Sponsored: From CDO to CEO

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019