Google on Thursday patched 12 Chrome vulnerabilities, the second time in eight days that the search company has updated its browser.
Most of the vulnerabilities -- 8 of the dozen -- were identified as "use-after-free" bugs, a common type of memory vulnerability that researchers have found in large numbers within Chrome using Google's own AddressSanitizer detection tool.
[ In the browser wars, Chrome is beating IE on any given Sunday. | Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]
In all, 7 of the 12 bugs were rated "high," the second-most-serious ranking in Google's scoring system, whereas 4 were marked "medium," and 1 was labeled "low."
Google paid $6,000 in bounties to three researchers for reporting 7 of the vulnerabilities. The others were unearthed by Google's own security team or were ineligible for a finder's fee.
One of the latter had been forwarded to Google by HP TippingPoint, which operates the Zero Day Initiative (ZDI) bug bounty program. Google does not pay bounties for vulnerabilities submitted to ZDI -- it only rewards researchers who have not been otherwise compensated -- a decision that has created friction between Google and ZDI in the past.
Among those who received checks were Arthur Gerkis and someone who goes by the nickname "miaubiz," two of three researchers who were awarded special $10,000 bonuses a month ago for what Google called "sustained, extraordinary" contributions.
Miaubiz took home $4,500 for his work.
Sergey Glazunov, one of those who pocketed $60,000 at the Pwnium hacking challenge Google sponsored last month, reported 2 of the 12 vulnerabilities. Neither was significant enough to rate a bounty payment, however.
Google has paid more than $216,000 in bug bounties this year, including $120,000 it distributed during Pwnium.
Thursday's update to Chrome 18 also included a new version of Adobe Flash Player that patched two critical memory corruption vulnerabilities in the Chrome interface. The pair, unique to the Flash Player bundled with the browser, were reported by a Google security engineer and a team from IBM's X-Force Research group.
According to the advisory that accompanied Thursday's update, Google also fixed several nonsecurity issues, including some related to hardware acceleration, a feature the company switched on in Chrome when version 18 debuted March 28.