Google pays $75K in bug bounties to fix 159 Chrome flaws
- 09 October, 2014 00:06
Google yesterday released Chrome 38, paying out more than $75,000 in bounties for some of the 159 vulnerabilities patched in the massive security update.
Also, contrary to what Google said in August but in line with its change-of-mind last month, Chrome 38 remained a 32-bit application on OS X, the operating system for Apple's Mac line.
Of the 159 bugs quashed in Chrome 38, 113 -- or 71% -- were "relatively minor fixes," according to Google. Those vulnerabilities had been found using MemorySanitizer, a Google-made tool for sniffing out memory initialization flaws.
Some of the other vulnerabilities were more significant, and produced impressive bounties awarded for their discoverers.
By reporting a "combination of V8 and IPC bugs that can lead to remote code execution outside of the sandbox," researcher Jüri Aedla was handed a check for $27,633.70. Aedla, a former Google security engineer, is an experienced bounty hunter: He collected $50,000 in March for revealing a critical vulnerability in Mozilla's Firefox at the Pwn2Own 2014 hacking contest.
Sandbox-escape exploits are not only relatively rare, but the most critical in Chrome -- and thus deserve the biggest bounties. The anti-exploit technology, which isolates processes on a computer to prevent, or at least hinder, hackers from planting malware on the machine, is a core Chrome defense.
Although Google tripled its maximum payout to $15,000 earlier this week, Aedla's award was nearly double the rate card's top-dollar. But Google has always paid more than the maximum for "particularly great [bug] reports."
Google also paid a pair of researchers -- Atte Kettunen of the Oulu University Secure Programming Group (OUSPG) in Finland, and Collin Payne, a senior researcher with the UK Department for Transport -- $23,000 for "working with us during the development cycle to prevent security bugs from ever reaching the stable channel," according to Chrome 38's advisory.
Several eagle-eyed Computerworld readers also noted that Chrome 38 remains a 32-bit application under OS X, contrary to what Google had said back in August when it announced that 32-bit would be retired as of that version.
In September, however, Google revised the schedule. "We're now bringing these benefits to OS X with Chrome 64-bit for Mac, version 39, due to be released in Nov. 2014," the company said in a brief blog update on Sept. 12.
Unlike with Chrome for Windows, the Mac browser will not be maintained in separate 32- and 64-bit versions: People running Chrome will automatically be updated to the latter. And when Chrome 39 reaches Release status, the 32-bit Chrome will be retired.
That will present problems for Chrome users with very old Macs, as machines sold by Apple from January 2006 to August 2007 (at the latest) will not be able to run the 64-bit Chrome. Individual Mac models made the 32-bit to 64-bit Intel processor jump at different times: The MacBook Pro, for instance, went 64-bit in June 2007, while the less-expensive MacBook switched to 64-bit in November 2006.
OS X 10.6, aka Snow Leopard, which was released in August 2009, was the last edition to support 32-bit Intel Macs.
When Chrome 39 debuts next month, some Chrome users on OS X will either have to switch browsers -- likely to Firefox, which includes both 32- and 64-bit versions in each edition's package -- or risk running an unpatched browser.
Chrome 38 can be downloaded from Google's website.