Chrome 14 contains many security fixes

SOFTWARE DEVELOPER Google has released its Chrome 14 web browser that fixes a number of security vulnerabilities and adds support for sandboxed Native Client applications.

As far as security patches go, the Chrome 14.0.835.163 stable version has a whooping 32 of them, with 15 being considered highly important. However, despite the large number of flaws addressed, Google's security bounty for this release totaled only $14,337, about $450 per bug.

That's because seven vulnerabilities were rated as low and many others were discovered by members of the Google Chrome Security Team or the Chromium development community. These flaws are not rewarded through the Chromium Security Rewards program.

Regular Chrome security contributor Sergey Glazunov, the best paid researcher through Google's bug bounty porgram so far, was credited with finding only one vulnerability in this release, but he earned a special $2,337 reward for it.

The vulnerability, identified as CVE-2011-2862, can lead to unintended access to v8 built-in objects. The reward probably consisted of an $1,337 (eleet) prize for the cleverness of the flaw and an additional $1,000 bonus for helping developers come up with a fix.

The best paid security researcher in this release was another regular Chrome security contributor known as miaubiz. He earned a total of $3,500 for discovering three high rated and one medium rated vulnerabilities.

Various security rewards were also issued during the Chrome 14 development cycle before it reached the stable channel. "We would like to thank 'send.my.spam.to', 'Feiler89', miaubiz, The Microsoft Java Team / Microsoft Vulnerability Research (MSVR), Chris Rohlf of Matasano, Chamal de Silva, Christian Holler, 'simon.sarris' and Alexey Proskuryakov of Apple for working with us in the development cycle and preventing bugs from ever reaching the stable channel," said Google Chrome engineer Anthony Laforge.

In addition to the vulnerability patches, the most noteworthy change in Chrome 14 as far as security is concerned is the implementation of Google's Native Client (NaCl) technology, which allows C/C++ code to be executed within the web browser.

Developers can now create powerful web-oriented applications that can make full use of system resources and run security in Google Chrome's so-far-impenetrable sandbox. For now, only apps from the Chrome Web Store can make use of Native Client, but Google plans to extend the technology in the future and port some of the browser's components to it. µ