Skip to main content [aditude-amp id="stickyleaderboard" targeting='{"env":"staging","page_type":"article","post_id":1571298,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,","session":"C"}']

Google spends over $75,000 in bounties to fix 159 security issues with Chrome 38 release

In addition to updating Chrome for iOS, Google today released Chrome 38 for Windows, Mac, and Linux. You can update to the latest release now using the browser’s built-in silent updater, or download it directly from google.com/chrome.

While Chrome 38 beta brought a slew of new features, the stable release is pretty much just a massive security update. This means that, with Chrome 38, Google isn’t adding any features to the stable channel. The changelog merely states “a number of new apps/extension APIs” and “lots of under the hood changes for stability and performance” — none of the new additions in the beta are listed.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1571298,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,","session":"C"}']

That said, Chrome 38 does address a huge 159 security issues (including 113 “relatively minor ones”). Of these, Google chose to highlight the following:

  • [$27633.70][416449] CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and IPC bugs that can lead to remote code execution outside of the sandbox.
  • [$3000][398384] High CVE-2014-3189: Out-of-bounds read in PDFium. Credit to cloudfuzzer.
  • [$3000][400476] High CVE-2014-3190: Use-after-free in Events. Credit to cloudfuzzer.
  • [$3000][402407] High CVE-2014-3191: Use-after-free in Rendering. Credit to cloudfuzzer.
  • [$2000][403276] High CVE-2014-3192: Use-after-free in DOM. Credit to cloudfuzzer.
  • [$1500][399655] High CVE-2014-3193: Type confusion in Session Management. Credit to miaubiz.
  • [$1500][401115] High CVE-2014-3194: Use-after-free in Web Workers. Credit to Collin Payne.
  • [$4500][403409] Medium CVE-2014-3195: Information Leak in V8. Credit to Jüri Aedla.
  • [$3000][338538] Medium CVE-2014-3196: Permissions bypass in Windows Sandbox. Credit to James Forshaw.
  • [$1500][396544] Medium CVE-2014-3197: Information Leak in XSS Auditor. Credit to Takeshi Terada.
  • [$1500][415307] Medium CVE-2014-3198: Out-of-bounds read in PDFium. Credit to Atte Kettunen of OUSPG.
  • [$500][395411] Low CVE-2014-3199: Release Assert in V8 bindings. Credit to Collin Payne.
  • $23,000 for preventing security bugs from ever reaching the stable channel. Credit to Atte Kettunen of OUSPG and Collin Payne.

If you add all those up, you’ll see Google spent a whopping $75,633.70 in bug bounties for this release. This list, and the ensuing amount, should be enough to push Chrome users to upgrade as soon as possible, new features be damned.

AI Weekly

The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.

Included with VentureBeat Insider and VentureBeat VIP memberships.

If you’re a Mac user waiting on the 64-bit version that was part of the beta, Google is planning to release it in November with Chrome 39. In fact, unlike on Windows where 32-bit and 64-bit versions will both continue to be available, as of version 39, Chrome will only be available in 64-bit on OS X.

As for the other new beta features, including the new user switching design and Guest Mode, we’re not sure when they’ll arrive in the stable channel. We’ll let you know when we learn more.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More