Google cures Chrome security flaws in fresh update

Google on Monday released a new update for the Chrome Web browser which cures a number of security problems including two cross-origins bypass flaws and a scheme validation error.

The latest release of the Chrome browser, version 43.0.2357.130 for Windows, Mac and Linux, includes release notes on four security problems contributed by third-party researchers. One of the reported flaws, a scheme validation error reported by an anonymous researcher, earned them $5000. Other rewards are yet to be decided.

Google is among a growing list of tech firms -- including Microsoft, Yahoo, Facebook and others -- that use cash rewards to crowdsource some of their security operations. The programs, called bug bounties, reward security researchers for disclosing bugs to companies and benefit companies by keeping damaging bugs off the black market for vulnerabilities. Google, which was initially criticized by several well-known security researchers in 2010 when it opened its first bug bounty, has since gained a reputation for handsomely rewarding its bug bounty participants.

The fixes Google highlighted in this latest Chrome update are below:

[464922] High CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous.

[494640] High CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.

[497507] Medium CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous.

[461481] Medium CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to Mike Ruddy.

In related news, earlier this month Google boosted bug discovery in Android with the launch of the new Android Security Rewards program. Valid bugs submitted through the program earn a minimum reward of $500, with rewards reaching up to $8,000 for particularly interesting or nasty security flaws.

This story originally posted as "Google issues Chrome security fixes in fresh update" on ZDNet.