Wednesday 15 February 2012


Google yesterday patched four vulnerabilities in Chrome, and disclosed that it had patched a fifth two weeks ago.
The refresh of Chrome 16 was the second security-related update for the browser this month.
One of the five bugs Google said had been quashed was actually a leftover from the Jan. 9 update. According to a blog post by Anthony Laforge, a Chrome program manager, that flaw was actually patched two weeks ago, but "[was] accidentally excluded from the release notes" at the time.
The vulnerability was the most serious of the five, rating a "critical" ranking, Google's top threat label.
According to the bug-tracking materials for Chromium, the open-source project that feeds code into Chrome, the critical bug caused the browser to crash when users saw Chrome's anti-malicious site warning and then refreshed the page.
Researcher Chamal de Silva reported the vulnerability in mid-December 2011, and was awarded $3,133 -- Google's highest bounty -- for his work. de Silva's bug was only the third time Google has paid out the $3,133 maximum, and the first time since June 2011.
In July 2010, Google boosted its top dollar bountyfrom $1,337 to $3,133, making the move less than a week after rival Mozilla increased Firefox bug bounties to $3,000.
Two other researchers who reported three of the remaining vulnerabilities were paid a total of $3,000 in bounties. Those bugs were rated as "high" threats.
Google has paid out more than $8,000 so far this year to independent researchers for filing bug reports. Last year, the search giant spent more than $180,000 on bounties.
Chrome accounted for 19.1% of all browsers used last month, a record for Google, according to Web metrics firm Net Application. If its share movement continues on past pace, Chrome will crack the 20% mark either this month or next.
Chrome 16, the current stable edition, can be downloaded from Google's website:):)