Google fixes 7 Chrome security holes just before CanSecWest
The day before two annual Google-sponsored hacking contests kick off at a security conference in Vancouver, Google tidies up some of Chrome's loose ends.
Google has fixed seven security flaws in Chrome, just a day before the annual, real-time hacking competitions Pwnium and Pwn2Own.
The new security update for Chrome on Windows, Mac, and Linux patched four flaws labeled as High, below the more important level of Critical; three flaws in its rendering engine V8; and updated its internal version of Flash Player.
Three High-level vulnerabilities were found by three independent researchers, who earned a total of $8,000 for their work. The last High-level vulnerability was discovered by Google employees, as were the V8 vulnerabilities.
[$4000][344881] High CVE-2014-1700: Use-after-free in speech. Credit to Chamal de Silva. [$3000][342618] High CVE-2014-1701: UXSS in events. Credit to aidanhs. [$1000][333058] High CVE-2014-1702: Use-after-free in web database. Credit to Collin Payne. [338354] High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets. [328202, 349079, 345715] CVE-2014-1704: Multiple vulnerabilities in V8 fixed in version 3.23.17.18.
Google did not immediately respond to a request for comment, although Google does issue security updates for Chrome on a regular basis.