Google patched 15 vulnerabilities in Chrome on Tuesday, paying $6,000 in bounties to bug hunters who reported some of them, and updated the browser to version 16.
The one new feature in the upgrade that Google called out wasmulti-user synchronization of bookmarks, passwords and apps.
Google last refreshed Chrome seven weeks ago on Oct 25.Google producesan update to its “stable” channel about every six to eight weeks, aslightly more flexible schedule than rival Mozilla’s every-six-weekpace.
Six of the 15 vulnerabilities patched Tuesday were rated “high,” thesecond-most-serious ranking in Google’s system, while seven werelabeled “medium” and another two were tagged as “low.”
Google paid $6,000 in bounties, or less than a fourth ofwhat it laidout in October, to five researchers for reporting seven bugs. The eightother vulnerabilities were uncovered by members of Google’s ownsecurity team, developers who contribute to the open-source Chromiumproject — which feeds code to Chrome — or were ranked low and so noteligible for a bonus.
The company has paid just over $180,000 so far this year in bounties tooutside researchers.
Several of the bugs, including a pair attributed to independentresearcher Arthur Gerkis — who earned $2,000 for his work — werefound using Google’s memory error detection tool, AddressSanitizer.Released in June, AddressSanitizer can detect a variety of errors,including “use-after-free” memory management bugs like those reportedby Gerkis.
Four of the flaws were related to Google’s parsing of PDF documents –the browser includes a built-in PDF viewer, eliminating the need tolaunch Adobe’s free Reader application — while two others were foundin Chrome’s processing of SVG (scalar vector graphics) images.
Per its usual practice, Google blocked access to its bug trackingdatabase for all 15 vulnerabilities to prevent outsiders from obtainingdetails that could be used to craft exploits. Google typically opens upthe database weeks or even months later, after it’s sure a majority ofusers have had their browsers upgraded by Chrome’s silent updatingprocess.
Chrome set to surpass Firefox
Google usually includes only a handful of obvious changes in eachChrome upgrade, and held to that practice yesterday: The sole featureit touted was the option to add additional users to Chrome so thatseveral people could use the browser on a shared Mac or PC, but keeptheir synchronized content — bookmarks, passwords, installed apps, andmore — separate.
The multi-use sync debuted in early November in a beta of Chrome 16.
Chrome 16 can now separately sync bookmarks and passwords for severalpeople who share one computer.
Another measurement firm, U.S.-based Net Applications, still had Chromebehind Firefox, but projections based on its data showed that Google’sbrowser would jump Mozilla’s no later than May 2012.
Chrome 16can be downloaded for Windows, Mac OS X and Linux from Google’s Website. Users already running the browser will be updated automaticallyvia the browser’s behind-the-scenes service.