The day before two annual Google-sponsored hacking contests kick off at a security conference in Vancouver, Google tidies up some of Chrome’s loose ends.

March 12, 2014 6:21 PM PDT

Google has fixed seven security flaws in Chrome, just a day before the annual, real-time hacking competitions Pwnium and Pwn2Own.

Related stories:
Feinstein excoriates CIA for spying on Senate committee
Google offers new sales options for Chrome Web Store
200M consumer records exposed in Experian security lapse
Apple credits jailbreakers for iOS 7.1 security fixes
Yahoo appoints new head of information security

The new security update for Chrome on Windows, Mac, and Linux patched four flaws labeled as High, below the more important level of Critical; three flaws in its rendering engine V8; and updated its internal version of Flash Player.
Three High-level vulnerabilities were found by three independent researchers, who earned a total of $8,000 for their work.

The last High-level vulnerability was discovered by Google employees, as were the V8 vulnerabilities.

[$4000][344881] High CVE-2014-1700: Use-after-free in speech. Credit to Chamal de Silva.
[$3000][342618] High CVE-2014-1701: UXSS in events. Credit to aidanhs.
[$1000][333058] High CVE-2014-1702: Use-after-free in web database. Credit to Collin Payne.
[338354] High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets.
[328202, 349079, 345715] CVE-2014-1704: Multiple vulnerabilities in V8 fixed in version 3.23.17.18.

Google did not immediately respond to a request for comment, although Google does issue security updates for Chrome on a regular basis.

Leave a Reply