Google crushes 33 Chrome bugs, pays boffins more than $56k

Uni kid's turn to shout.

Google has patched 33 Chrome vulnerabilities, including 13 rated high severity, with the release of verison 53 of the world's most popular web browser.

Six high-severity bugs were reported in Google's native Adobe Reader wrecker PDFium, namely a use after free and five heap overflows of which three were reported by GiWan Go of mobile app hack outfit Stealien.

Five mostly severe flaws were dug up in the Blink web browser engine including two universal cross-site scripting holes, one use after free, a use after destruction, and a minor type confusion bug.

Massachusetts Institute of Technology computer science student Max Justicz scored US$7500 in beer money for reporting script injection in Chrome extensions.

All told Google doled out US$56,500(£42,568, A$74,860) to hackers reporting bugs and likely more since four have pay outs that are yet to be decided.

Three of those are high severity heap overflows in Chrome's PDFium and are likely to bag about US$5000 each. The fourth is a medium severity SMB relay attack that abuses the save page as functionality.

Google has been on an exciting patch run of late, fixing 48 bugs in July. The full list is below. ®

Bounty Google bug ID Severity CVE Description Credit
$1000 618037 Medium CVE-2016-5165 Script injection in DevTools Credit to Gregory Panakkal
$2000 637594 Medium CVE-2016-5164 Universal XSS using DevTools Credit to anonymous
$3000 633002 High CVE-2016-5154 Heap overflow in PDFium Credit to anonymous
$3000 630662 High CVE-2016-5155 Address bar spoofing Credit to anonymous
$3000 625404 High CVE-2016-5156 Use after free in event bindings Credit to jinmo123
$3000 609680 Medium CVE-2016-5163 Address bar spoofing Credit to Rafay Baloch PTCL Etisalat (http://rafayhackingarticles.net)
$3500 631052 High CVE-2016-5153 Use after destruction in Blink Credit to Atte Kettunen of OUSPG
$500 576867 Low CVE-2016-5160 Extensions web accessible resources bypass Credit to @l33terally, FogMarks.com (@FogMarks)
$5000 637963 High CVE-2016-5150 Use after free in Blink Credit to anonymous
$5000 634716 High CVE-2016-5151 Use after free in PDFium Credit to anonymous
$5000 629919 High CVE-2016-5152 Heap overflow in PDFium Credit to GiWan Go of Stealien
$7500 628942 High CVE-2016-5147 Universal XSS in Blink Credit to anonymous
$7500 621362 High CVE-2016-5148 Universal XSS in Blink Credit to anonymous
$7500 573131 High CVE-2016-5149 Script injection in extensions Credit to Max Justicz (http://web.mit.edu/maxj/www/)
$n/a 622420 Medium CVE-2016-5161 Type confusion in Blink Credit to 62600BCA031B9EB5CB4A74ADDDD6771E working with Trend Micro's Zero Day Initiative
$n/a 589237 Medium CVE-2016-5162 Extensions web accessible resources bypass Credit to Nicolas Golubovic
$TBD 632622 High CVE-2016-5157 Heap overflow in PDFium Credit to anonymous
$TBD 628890 High CVE-2016-5158 Heap overflow in PDFium Credit to GiWan Go of Stealien
$TBD 628304 High CVE-2016-5159 Heap overflow in PDFium Credit to GiWan Go of Stealien
$TBD 616429 Medium CVE-2016-5166 SMB Relay Attack via Save Page As Credit to Gregory Panakkal

Sponsored: Detecting cyber attacks as a small to medium business

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2020