Google fixes 7 Chrome security holes just before CanSecWest

The day before two annual Google-sponsored hacking contests kick off at a security conference in Vancouver, Google tidies up some of Chrome's loose ends.

Seth Rosenblatt Former Senior Writer / News

Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.

See full bio

Seth Rosenblatt

March 12, 2014 6:21 p.m. PT

Google has fixed seven security flaws in Chrome, just a day before the annual, real-time hacking competitions Pwnium and Pwn2Own.

The new security update for Chrome on Windows, Mac, and Linux patched four flaws labeled as High, below the more important level of Critical; three flaws in its rendering engine V8; and updated its internal version of Flash Player.

Three High-level vulnerabilities were found by three independent researchers, who earned a total of $8,000 for their work. The last High-level vulnerability was discovered by Google employees, as were the V8 vulnerabilities.

[$4000][344881] High CVE-2014-1700: Use-after-free in speech. Credit to Chamal de Silva.

[$3000][342618] High CVE-2014-1701: UXSS in events. Credit to aidanhs.

[$1000][333058] High CVE-2014-1702: Use-after-free in web database. Credit to Collin Payne.

[338354] High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets.

[328202, 349079, 345715] CVE-2014-1704: Multiple vulnerabilities in V8 fixed in version 3.23.17.18.

Google did not immediately respond to a request for comment, although Google does issue security updates for Chrome on a regular basis.