Google released security patches for 21 vulnerabilities in its Chrome browser, including six high-severity flaws. Most of these flaws were discovered and reported by bug hunters through the tech giant's bounty program.
Chrome Update 54 is available for Mac, Windows and Linux operating systems and has started rolling out this week.
Details of the vulnerabilities are limited and restricted but included in the high-severity fixes are patches for a universal XSS bug (CVE-2016-5181), a heap overflow flaw (CVE-2016-5182) and a use-after-free bug (CVE-2016-5185) in Blink, Chrome's web browser engine.
Two high-severity use-after-free bugs were also squashed in Chrome's PDF viewer, PDFium (CVE-2016-5183 and CVE-2016-5184).
The last high-severity flaw is a URL spoofing vulnerability (CVE-2016-5187).
The remaining patches range from medium to low severity. These include UI and URL spoofings, cross-origin bypass in Blink, out of bounds read in DevTools, use-after-free in Internals, universal XSS in bookmarks and a scheme bypass.
Overall, the bug hunters have netted $30,000 in rewards total for these bugs, with a top payout of $7,500 for the cross-site scripting hole in Blink and $5,500 for the heap overflow bug, also in Blink.
Here's Google's list of all the security fixes and the associated bounties for Chrome 54:
- High CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous ($7500)
- High CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go of STEALIEN ($5500)
- High CVE-2016-5183: Use after free in PDFium. Credit to Anonymous ($3000)
- High CVE-2016-5184: Use after free in PDFium. Credit to Anonymous ($3000)
- High CVE-2016-5185: Use after free in Blink. Credit to cloudfuzzer ($3000)
- Medium CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman Alqabandi (@qab) ($500)
- High CVE-2016-5187: URL spoofing. Credit to Luan Herrera ($1000)
- Medium CVE-2016-5188: UI spoofing. Credit to Luan Herrera ($3133.7)
- Medium CVE-2016-5189: URL spoofing. Credit to xisigr of Tencent's Xuanwu Lab ($500)
- Medium CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen of OUSPG ($N/A)
- Medium CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes ($500)
- Medium CVE-2016-5192: Cross-origin bypass in Blink. Credit to firstname.lastname@example.org ($1000)
- Low CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU (martinzhou96) ($500)
The next update, Chrome 55, is expected to be released on December 6. We reported that this will bring memory optimizations that will improve its performance. Click here to read what the next Chrome update will bring.
How to update Chrome:
Google Chrome can be set to automatically update with new versions that include the most recent security patches.
If you're using a computer: Just close and reopen your Chrome browser. Or, Click the Chrome menu that looks like three horizontal lines on the far upper-right hand corner of the screen >> Update Google Chrome >> Relaunch.
If you don't see Update Google Chrome, don't worry. That means you have the most updated version.
To read more about this Chrome release, check out the Chrome Team's official blog post.