How much does it cost to patch 25 flaws in an open-source Web browser?
Google is updating the stable version of its Chrome browser to version 29.0.1547.57 across the Windows, Mac and Linux operating system platforms.
The new update includes at least 25 security fixes as well as an improved Omnibox search capability and a new browser reset feature.
In any given Google Chrome update, Google credits and rewards multiple researchers for their contributions to Chrome security. With the Chrome 29.0.1547.57 release, Google is crediting only four researchers for the discovery of six flaws. Three of those flaws were discovered by a single researcher, working under the alias “cloudfuzzer.”
In total, Google awarded $6,174 in reward money to the four researchers, with cloudfuzzer pocketing $3,000 of that total. Google recently revealed that it has paid out over $2 million in bug bounties to security researchers since 2010.
So what did cloudfuzzer find to earn $3,000? cloudfuzzer reported three separate use-after-free errors in Chrome that affect Extensible Stylesheet Language Transformation (XLST), media elements and document parsing. Use-after-free errors occur when allocated memory that is no longer in use is still available as legitimate memory space for an attacker to use to launch an attack. Google is often able to find use-after-free flaws with its own security resources by way of its open-source Address Sanitizer tool.
Security researcher Krystian Bigaj was awarded $1,337 for reporting an incomplete path sanitization issue, while Alex Chapman was awarded the same amount for an integer overflow issue. Christian Jaeger was awarded $500 for reporting an information leak issue related to overly broad permissions on shared memory files.
Looking deeper into the Chrome 29 security fixes, Google’s own team spent time on a number of memory hardening initiatives to further improve the security posture of the browser.
Security isn’t the only thing that has been updated in the Chrome 29.0.1547.57 stable release. Google is getting back to its core roots with improved search capabilities by way of the Chrome Omnibox. Instead of a separate search window in the browser, Chrome users input Website addresses as well as search queries all in the Omnibox bar of the browser.
With Chrome 29.0.1547.57, Google is promising that Omnibox suggestions will be improved, delivering better relevancy based on user browser behavior and history.
Google offers its Chrome users lots of options for customization, which can sometimes lead users down a path they’d like to forget.
For those users, Chrome 29.0.1547.57 now enables them to reset all their browser settings to the original defaults.
In addition to the stable update, Google has also updated its Dev channel early adopter edition to version 30.0.1599.14, providing multiple stability updates.
And Chrome Beta for Android is being updated to version 29.0.1547.58, giving mobile users a number of bug fixes.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.