Google has patched 21 bugs in its Chrome web browser, closing six high-severity holes along the way.
Mountain View paid US$29,133 for the bugs including a top pay out of US$7500 (CVE-2016-5181) for a universal cross-site scripting hole in Blink, and US$5500 (CVE-2016-5182) for a heap overflow in the same web browser engine.
Four vulnerabilities affecting the Blink engine were patched including a cross-origin bypass and a user-after-free, but Google did not reveal further details.
Two user-after-free holes in Chrome's PDF reader PDFium were bandaged, along with a pair of URL spoofing tricks.
Google restricted access to further details until most users have applied the patch and flaws relating to vulnerable third party libraries are fixed.
Users should update to Chrome version 54 to receive the latest fixes.
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
The bugs blatted this time around are:
[$7500] High CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous
[$5500] High CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go of STEALIEN
[$3000] High CVE-2016-5183: Use after free in PDFium. Credit to Anonymous
[$3000] High CVE-2016-5184: Use after free in PDFium. Credit to Anonymous
[$3000] High CVE-2016-5185: Use after free in Blink. Credit to cloudfuzzer
[$1000] High CVE-2016-5187: URL spoofing. Credit to Luan Herrera
[$3133.7] Medium CVE-2016-5188: UI spoofing. Credit to Luan Herrera
[$1000] Medium CVE-2016-5192: Cross-origin bypass in Blink. Credit to firstname.lastname@example.org
[$500] Medium CVE-2016-5189: URL spoofing. Credit to xisigr of Tencent's Xuanwu Lab
[$500] Medium CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman Alqabandi (@qab)
[$500] Medium CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes
[$N/A] Medium CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen of OUSPG
[$500] Low CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU (martinzhou96)
Chrome updates itself, unless you tell it not to. So all these fixes may already be in your browser. ®