back to article Google splashes $80k on Chrome 40 bug splatting

Google has patched 62 security vulnerabilities in Chrome 40 and handed out US$88,500 to bug hunters who spotted the problems. Of those fixes, 17 swatted dangerous memory corruption and use-after-free vulnerabilities in Chrome elements including FFmpeg, ICU and DOM. The Chocolate Factory's digital guardians pushed the flagship …

  1. Anonymous Coward
    Anonymous Coward

    Disclosure

    I wonder if someone who notified them of a bug a couple months ago that didn't make this release will make it public like they've been doing to Microsoft?

    1. Anonymous Coward
      Anonymous Coward

      Re: Disclosure

      Why would they need to threaten and motivate themselves to patch?

      If they didn't care about it, then they wouldn't have bounties in the first place.

      1. LDS Silver badge

        Re: Disclosure

        They pay money so the researcher stay silent until the check is paid...

    2. Anonymous Coward
      Anonymous Coward

      Re: Disclosure

      Chrome - the browser with more security holes than IE!

      With The Borg monitoring all that you do...

    3. Charlie Clark Silver badge

      Re: Disclosure

      Google quickly discovered that it was excellent PR to run bounty schemes, and much cheaper and more effective than trying to prevent disclosure.

  2. Anonymous Coward
    Anonymous Coward

    Can some one clarify

    FFmpeg...

    Is this the same one in VLC?

  3. LDS Silver badge

    Google doesn't respect its own 90 days deadline!

    CVE-2014-7923 was created on October 6th, 2014 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7923) - and that is only the date when the CVE identifier was created - not when the vulnerabilty was discovered, which of course happened *before*.

    (It looks the other CVE entries too were created on 20141006 - thereby it looks Google too needs time to fix things and release them... how many other later vulns are there and waiting to be patched well after 90 days?)

    "Strangely" they waited a "few days" for the release of a patch.... but of course wait for googledrones flying in to say this is different....

    1. Fuzz

      Re: Google doesn't respect its own 90 days deadline!

      Maybe Microsoft should start paying bounties for bugs in Google software

      1. LDS Silver badge

        Re: Google doesn't respect its own 90 days deadline!

        Ah, that's the reason Google is publishing them, they asked for money and MS didn't comply?

      2. Anonymous Coward
        Anonymous Coward

        Re: Google doesn't respect its own 90 days deadline!

        "Maybe Microsoft should start paying bounties for bugs in Google software"

        I don't think Microsoft would have enough money! Google's software has a terrible security vulnerability record...

    2. Anonymous Coward
      Anonymous Coward

      Re: Google doesn't respect its own 90 days deadline!

      What are you talking about? Do you even know?

      1. LDS Silver badge

        Re: Google doesn't respect its own 90 days deadline!

        Can you read a CVE entry? Follow the link....

    3. Charlie Clark Silver badge
      Thumb Down

      Re: Google doesn't respect its own 90 days deadline!

      The press release doesn't make it clear when the CVE was made public. As the bugfix has just gone into the stable version of the browser, it will have been fixed in beta and canary channels earlier and presumably available as a hotfix if required.

      Not that Google might not get caught out by its 90 day rule at some point but at the moment it has the PR on its side.

      From the security page:

      One of the quickest ways to get involved is finding and reporting security bugs. It will get prompt attention from a security sheriff, be kept private until we coordinate disclosure, and possibly qualify for a cash reward through our Vulnerability Rewards Program. We occasionally run security contests outside of our regular reward program (e.g. Pwnium2, Pwnium3) too.

      Oh, and the code is all open source so that miscreants have a head start finding bugs. Except, of course, that automated scans are better than code review for detecting exploits.

      1. LDS Silver badge

        Re: Google doesn't respect its own 90 days deadline!

        Of course the press release doesn't tell it - but it doesn't take much effort to go to CVE site and discover it ... The CVE entry was created at the beginning of October. Unlike Google, they don't publish detail whenever they like - they take security seriously, unlike Google which is now using it as a weapon against MS even if it put users at more risks.

        But the very fact that the CVE entry was reserved, assigned and thereby "timestamped", mean that the vulnerability was discovered and sent to Google well before the 90 days Google decided *others* should fix their issues within.

        Also, it can be very dangerous to fix vulnerabilities in beta and hotfix - because as soon as that code is released, a simple diff tells you where to look at, even if details are not made public. Vulnerabilities are not alike other bugs - disclosure *must* be very careful or you just get explotable zero days ones. A sound practice is to fix vulnerabilities first in production release and then backport them to any public beta or whatever - the other way round could be much more dangerous.

        And, read: "be kept private until we coordinate disclosure" - so they keep them private until they are ready for a disclosure - no matter how long it takes, no deadline here - so what they ask others to comply with is not valid for them. What is funny is people like you thing it's OK.... but Google has washbrained a lot of people who are scared as hell if they have to pay for the software they use...

        1. Charlie Clark Silver badge

          Re: Google doesn't respect its own 90 days deadline!

          I didn't find the release date of the CVE anywhere. Contrary to your insinuation I don't think Google is wonderful. There's a lot to criticise about the company. But they're handsomely winning the PR war about security. And I think they understand better than most, that you can only keep the most severe exploits under wraps and even then only a for a very short time (OpenBSD is the model here).

          I haven't done a look at the commits but I can't imagine they put something in stable without first having it in the beta version. A hotfix for all versions would be the exception here. I suppose that checking this would prove which of us is right about this.

  4. Haro

    Yeah for Google

    This is a great program, paying for bugs. It keeps people interested, and playing by the rules, whatever they are. The MS bounty program is ransom-ware. :)

  5. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022