Google on Thursday patched 12 Chrome vulnerabilities, the second time in eight days that the search company has updated its browser.
Most of the vulnerabilities -- 8 of the dozen -- were identified as "use-after-free" bugs, a common type of memory vulnerability that researchers have found in large numbers within Chrome using Google's own AddressSanitizer detection tool.
[ In the browser wars, Chrome is beating IE on any given Sunday. | Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]
In all, 7 of the 12 bugs were rated "high," the second-most-serious ranking in Google's scoring system, whereas 4 were marked "medium," and 1 was labeled "low."
Google paid $6,000 in bounties to three researchers for reporting 7 of the vulnerabilities. The others were unearthed by Google's own security team or were ineligible for a finder's fee.
One of the latter had been forwarded to Google by HP TippingPoint, which operates the Zero Day Initiative (ZDI) bug bounty program. Google does not pay bounties for vulnerabilities submitted to ZDI -- it only rewards researchers who have not been otherwise compensated -- a decision that has created friction between Google and ZDI in the past.
Among those who received checks were Arthur Gerkis and someone who goes by the nickname "miaubiz," two of three researchers who were awarded special $10,000 bonuses a month ago for what Google called "sustained, extraordinary" contributions.
Miaubiz took home $4,500 for his work.
Sergey Glazunov, one of those who pocketed $60,000 at the Pwnium hacking challenge Google sponsored last month, reported 2 of the 12 vulnerabilities. Neither was significant enough to rate a bounty payment, however.
Google has paid more than $216,000 in bug bounties this year, including $120,000 it distributed during Pwnium.
Thursday's update to Chrome 18 also included a new version of Adobe Flash Player that patched two critical memory corruption vulnerabilities in the Chrome interface. The pair, unique to the Flash Player bundled with the browser, were reported by a Google security engineer and a team from IBM's X-Force Research group.
According to the advisory that accompanied Thursday's update, Google also fixed several nonsecurity issues, including some related to hardware acceleration, a feature the company switched on in Chrome when version 18 debuted March 28.
Chrome accounted for 18.6 percent of the browsers used worldwide last month, a decrease of about a third of a percentage point from February, said Internet measurement vendor Net Applications earlier this week. Chrome's usage share has declined three months running, and is down about 3 percent since the start of the year.
The patched version of Chrome 18 can be downloaded for Windows, Mac OS X, and Linux from Google's website. Already installed copies of the browser will be updated automatically by Chrome's silent service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about browsers in Computerworld's Browsers Topic Center.
This story, "Google patches Chrome for second time in eight days" was originally published by Computerworld.