Google fixes 7 Chrome security holes just before CanSecWest

The day before two annual Google-sponsored hacking contests kick off at a security conference in Vancouver, Google tidies up some of Chrome's loose ends.

Google has fixed seven security flaws in Chrome, just a day before the annual, real-time hacking competitions Pwnium and Pwn2Own.

The new security update for Chrome on Windows, Mac, and Linux patched four flaws labeled as High, below the more important level of Critical; three flaws in its rendering engine V8; and updated its internal version of Flash Player.

Three High-level vulnerabilities were found by three independent researchers, who earned a total of $8,000 for their work. The last High-level vulnerability was discovered by Google employees, as were the V8 vulnerabilities.

  • [$4000][344881] High CVE-2014-1700: Use-after-free in speech. Credit to Chamal de Silva.
  • [$3000][342618] High CVE-2014-1701: UXSS in events. Credit to aidanhs.
  • [$1000][333058] High CVE-2014-1702: Use-after-free in web database. Credit to Collin Payne.
  • [338354] High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets.
  • [328202, 349079, 345715] CVE-2014-1704: Multiple vulnerabilities in V8 fixed in version 3.23.17.18.
  • Google did not immediately respond to a request for comment, although Google does issue security updates for Chrome on a regular basis.

    About the author

    Senior writer Seth Rosenblatt covers Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments