Google issued a new security update to fix flaws in Chrome 49

Google has issued a new security update for its Chrome 49 that patches a number of flaws, most of them discovered by external researchers.

Google has updated Chrome 49 for all the available versions in order to patch several critical vulnerabilities, including the flaw discovered thanks its bounty program that were rewarded with dozen thousands of dollars. Since 2010, Google has been awarding hackers for discovering vulnerabilities in its products.

This isn’t the first time that the company issued an update to fix problems Chrome, the first Chrome 49 release was made available in early March to solve a total of 26 security issues. One week later GooGle released another update fixed other three high-severity vulnerabilities in the popular browser.

The new Chrome 49.0.2623.108 fix five vulnerabilities, four of which have been discovered by security experts that were awarded by the company.

The last Chrome update includes the following 4 security fixes for flaws discovered by external professionals:

[594574] High CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu from Tencent KeenLab. Rewarded $7500.
[590284] High CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. Rewarded $5500.
[590455] High CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. Rewarded $5000
[595836] High CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt working with HP’s Zero Day Initiative / Pwn2Own.

meanwhile the internal security team work fixed the following issues:

[597518] CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives.
Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.33).

google chrome 49 bounty program

At the last edition of the Pwn2Own 2016 context, the researcher JungHoon Lee (aka lokihardt) failed to demonstrate a code execution exploit against Chrome, but its effort allowed the discovery of a high severity buffer overflow in libANGLE (CVE-2016-1649), for this reason, he was awarded an unspecified amount of money.

Find bugs in Chrome software is a profitable business, Google recently announced that it will pay $100,000 to anyone who can achieve a persistent compromise of a Chromebox or Chromebook in guest mode via a web page.

“Increasing our top reward from $50,000 to $100,000. Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.” states the Google Security Blog.

The company also announced the inclusion of the Download Protection Bypass in the bounty program.

“Happy hacking!”

Pierluigi Paganini

(Security Affairs – Google, Chrome 49)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.