Google Patches Two High-Severity Flaws in Chrome

Google on Wednesday updated the Chrome browser for the third time since the start of May.

Chrome 51.0.2704.79 for Windows, Mac, and Linux patched 15 vulnerabilities. It also paid out $14,000 in bounties to prolific bug hunters Mariusz Mlynski ($7,500) and Rob Wu ($6,500).

The previous Chrome update on May 27 addressed 42 flaws with Mlynski cashing in to the tune of $30,000 after earning $15,500 in an update pushed out at the start of May.

Yesterday’s update patched two high-severity vulnerabilities, including a cross-origin bypass in the Blink web browser engine worth $7,500 to Mlynski. An anonymous researcher also pocketed $7,500 for a cross-origin bypass in Extension bindings.

Researcher Rob Wu, a student at TU/e in the Netherlands, earned $6,500 in bounties for three medium-severity bounties, including an information leak bug in Extension bindings worth $4,000.

The bugs that earned bounties are as follows:

[$7500][601073] High CVE-2016-1696: Cross-origin bypass in Extension bindings. Credit to anonymous.

[$7500][613266] High CVE-2016-1697: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.

[$4000][603725] Medium CVE-2016-1698: Information leak in Extension bindings. Credit to Rob Wu.

[$3500][607939] Medium CVE-2016-1699: Parameter sanitization failure in DevTools. Credit to Gregory Panakkal.

[$1500][608104] Medium CVE-2016-1700: Use-after-free in Extensions. Credit to Rob Wu.

[$1000][608101] Medium CVE-2016-1701: Use-after-free in Autofill. Credit to Rob Wu.

[$1000][609260] Medium CVE-2016-1702: Out-of-bounds read in Skia. Credit to cloudfuzzer.