Google bug bounty brings patches for 31 Chrome flaws
Thousands of dollars have been awarded to bug hunters for the Chrome 34 release who reported 31 flaws, 19 deemed critical.
Google has awarded over $28,000 to bug hunters who have contributed to fixing security problems in Chrome 34.
According to Google's Chrome Releases blog, the Chrome 34 release -- now promoted to the Stable channel -- contains a number of fixes and improvements. In total, 34 security vulnerabilities have been patched, including approximately 19 highly rated, critical flaws.
In the next release of Chrome, when Chrome 34 becomes part of the Stable Channel and is then rolled out as a default browser for millions of users, the software will include a new feature; it will "now offer to remember and fill password fields in the presence of autocomplete=off." In other words, even if a website turns off automatic password retention, Chrome will offer to do it anyway for password fields.
The Chrome development team says "it is the security team's view that this is very important for user security by allowing users to have unique and more complex passwords for websites."
In addition, Chrome 34 includes new apps, extended APIs, a different look for Windows 8, and "lots of under the hood" changes to improve stability and performance.
The full list of fixes is below:
- [$5000] High CVE-2014-1716: UXSS in V8. Credit to Anonymous.
- [$5000] High CVE-2014-1717: OOB access in V8. Credit to Anonymous.
- [$3000] High CVE-2014-1718: Integer overflow in compositor. Credit to Aaron Staple.
- [$3000] High CVE-2014-1719: Use-after-free in web workers. Credit to Collin Payne.
- [$2000] High CVE-2014-1720: Use-after-free in DOM. Credit to cloudfuzzer.
- [$2000] High CVE-2014-1721: Memory corruption in V8. Credit to Christian Holler.
- [$2000] High CVE-2014-1722: Use-after-free in rendering. Credit to miaubiz.
- [$1500] High CVE-2014-1723: Url confusion with RTL characters. Credit to George McBay.
- [$1000] High CVE-2014-1724: Use-after-free in speech. Credit to Atte Kettunen of OUSPG.
- [$3000] Medium CVE-2014-1725: OOB read with window property. Credit to Anonymous
- [$1000] Medium CVE-2014-1726: Local cross-origin bypass. Credit to Jann Horn.
- [$1000] Medium CVE-2014-1727: Use-after-free in forms. Credit to Khalil Zhani.
"As usual," Google said on the Chrome Releases blog, "our ongoing internal security work [is] responsible for a wide range of fixes:  CVE-2014-1728: Various fixes from internal audits, fuzzing, and other initiatives. [345820, 347262, 348319, 350863, 352982, 355586, 358059] CVE-2014-1729: Multiple vulnerabilities in V8 fixed in version 220.127.116.11."
This story originally appeared at ZDNet under the headline " Google patches 31 Chrome flaws, issues bug bounty rewards."