Google Chrome 26, the latest version of the company’s browser, is out and it contains a number of security patches, with the biggest fix being for a high-priority use-after-free vulnerability in the Web Audio component of the browser.
That vulnerability is the only one in Chrome 26 for which Google paid a bug bounty as part of its reward program. All of the other vulnerabilities ended up discovered by members of the company’s own security team or the bugs just didn’t qualify for a reward.
This continues a trend of the number of vulnerabilities qualifying for rewards from Google declining as it becomes more and more difficult to find serious bugs in the browser.
Google has raised the amount of money paid for serious vulnerabilities in order to attract more submissions from security researchers, but the improved defenses in Chrome have made life more difficult for would-be submitters.
Here is a list of vulnerabilities patched by Google in Chrome 26:
• High CVE-2013-0916: Use-after-free in Web Audio.
• Low CVE-2013-0917: Out-of-bounds read in URL loader.
• Low CVE-2013-0918: Do not navigate dev tools upon drag and drop.
• [Linux only] Medium CVE-2013-0919: Use-after-free with pop-up windows in extensions.
• Medium CVE-2013-0920: Use-after-free in extension bookmarks API.
• High CVE-2013-0921: Ensure isolated web sites run in their own processes.
• Low CVE-2013-0922: Avoid HTTP basic auth brute force attempts.
• Medium CVE-2013-0923: Memory safety issues in the USB Apps API.
• Low CVE-2013-0924: Check an extension’s permissions API usage again file permissions.
• Low CVE-2013-0925: Avoid leaking URLs to extensions without the tabs permissions.
• Medium CVE-2013-0926: Avoid pasting active tags in certain situations.