Google releases Chrome 21, shells out $3,500 for security holes

Google releases Chrome 21, shells out $3,500 for security holes

Google Chrome 21The folks at the Googleplex have released the newest update to the Chrome browser. The new version, 21, fixes three high priority security issues in the popular web browser, Google disclosed on Friday.

Google paid $3,500 to three separate independent security researchers for information on security holes in the product. Fixes for those holes were rolled into the new version of Chrome for Windows, Mac and Linux, officially labeled 21.0.1180.89, according to a post on the Google Chrome Releases blog by Karen Grunberg of Google’s Chrome team.

The patched holes include three rated “High.”

The first, CVE-2012-2866, fixes a problem in which Chrome failed to properly perform a cast of an unspecified variable during handling of run-in elements. If left unpatched, it could allow attackers to cause a denial of service (or worse) on a vulnerable Chrome instance using a specially-crafted document.

The second security hole rated “high,” fixes a fault, CVE-2012-2869, in which Chrome improperly loaded URLs which could allow remote attackers to create a denial of service or, possibly, take additional actions on a vulnerable system.

The third vulnerability with a “high” rating, CVE-2012-2871, fixes a problem with libxml2 2.9.0-rc1 and earlier, a standard Google Chrome component. Earlier versions of that library don’t properly support a cast of an unspecified variable during XSL transforms – a process in which webpage style sheets are rendered when a page is loaded.

The vulnerability could allow a remote attacker to cause a denial of service attack or take other actions on vulnerable systems using a specially crafted document, Google warned.

Google is one of two major browser makers, with The Mozilla Foundation, that pays independent researchers for information about security holes in its products. The company has been a leader in promoting scrutiny of its platform. In August, Google announced Pwnium 2, the second annual contest that invites top hackers to take a crack at Chrome in exchange for cash prizes.

The first, held in March, awarded $60,000 in prize money to two researchers who created sophisticated, successful attacks against Chrome.

The announcement from Mountain View-based Google follows a similar announcement last week from The Mozilla Foundation, which released an update to its Firefox web browser, Firefox 15, that fixed 16 security holes and a large numbers of stability and memory management problems.