Chrome 35 made deaf to old speech API bug

23 flaws fixed in new version of Chocolate Factory's browser

Got Tips?

Google has patched 23 vulnerabilities, including three marked high risk, in the latest update to the web browser.

Mountain View has yet to release details on the full set of patched bugs pushed out overnight in the new release 35 of Chrome for Windows, Mac and Linux.

Chrome engineer Karen Grünberg said it paid out US$9500 to external researchers for reporting vulnerabilities including use-after-free and cross site scripting.

The latest Chrome also sports better developer control over touch input, new JavaScript features and application program interfaces for apps and extensions.

A particularly interesting bug in the set was this one, discovered in April, that allowed abuse of the old speech API in Chrome for eavesdropping.

Bug payouts Google acknowledged in the patch include:

  • $3000 for 356653 – High – CVE-2014-1743: Use-after-free in styles.
  • $3000 for 359454 – High – CVE-2014-1744: Integer overflow in audio.
  • $1000 for 346192 – High – CVE-2014-1745: Use-after-free in SVG.
  • $1000 for 364065 – Medium – CVE-2014-1746: Out-of-bounds read in media filters.
  • $1000 for 330663 – Medium – CVE-2014-1747: UXSS with local MHTML file.
  • $500 for 331168 – Medium – CVE-2014-1748: UI spoofing with scrollbar.

In a tip to would-be bug hunters Grünberg said many of the noted vulnerabilities were detected using its AddressSanitizer tool released in 2012. ®


Biting the hand that feeds IT © 1998–2020