Google Chrome

Google Chrome 62.0.3202.94

Google has released Version 48.0.2564.116 of the Chrome browser.
Stable Channel Update

The stable channel has been updated to 48.0.2564.116 for Windows, Mac, and Linux.

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes the following security fix contributed by an external researcher. Please see the Chromium security page for more information.

[$25,633.7][583431] Critical CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. Credit to anonymous.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer or Control Flow Integrity.
A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 49.0.2623.75 of the Chrome browser.
Stable Channel Update
Wednesday, March 2, 2016
The Chrome team is delighted to announce the promotion of Chrome 49 to the stable channel for Windows, Mac and Linux.

Chrome 49.0.2623.75 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 49.


Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 26 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.
[$8000][560011] High CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz Mlynski.
[$7500][569496] High CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz Mlynski.
[$5000][549986] High CVE-2016-1632: Bad cast in Extensions. Credit to anonymous.
[$3000][572537] High CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer.
[$3000][559292] High CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer.
[$2000][585268] High CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu.
[$2000][584155] High CVE-2016-1636: SRI Validation Bypass. Credit to [email protected].
[$500][560291] High CVE-2015-8126: Out-of-bounds access in libpng. Credit to joerg.bornemann.
[$2000][555544] Medium CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy.
[$1000][585282] Medium CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu.
[$1000][572224] Medium CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani.
[$1000][550047] Medium CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan Herrera.
[$500][583718] Medium CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen of OUSPG.
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. An additional $14,500 in rewards were issued for security bugs present on non-stable channels.
As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [591402] CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.
  • Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.26).
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer or Control Flow Integrity.


Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 49.0.2623.87 of the Chrome browser.
Stable Channel Update
Tuesday, March 8, 2016
The stable channel has been updated to 49.0.2623.87 for Windows, Mac, and Linux.


Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 3 security fixes that were contributed by external researchers. Please see the Chromium security page for more information.


[$5000][589838] High CVE-2016-1643: Type confusion in Blink. Credit to cloudfuzzer.
[$3500][590620] High CVE-2016-1644: Use-after-free in Blink. Credit to Atte Kettunen of OUSPG.
[587227] High CVE-2016-1645: Out-of-bounds write in PDFium. Credit to anonymous working with HP's Zero Day Initiative.



Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.
A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 49.0.2623.108 of the Chrome browser.
Stable Channel Update
Thursday, March 24, 2016
The stable channel has been updated to 49.0.2623.108 for Windows, Mac, and Linux.



Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 5 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.
[$7500][594574] High CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu from Tencent KeenLab.
[$5500][590284] High CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous.
[$5000][590455] High CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous.
[595836] High CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt working with HP’s Zero Day Initiative / Pwn2Own.
As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [597518] CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives.
  • Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.33).

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.

A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.



Krishna Govind
Google Chrome
 
Google has released Version 49.0.2623.110 of the Chrome browser.
Stable Channel Update
Monday, March 28, 2016
The stable channel has been updated to 49.0.2623.110 for Windows, Mac, and Linux.

A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 49.0.2623.112 of the Chrome browser.
Stable Channel Update
Thursday, April 7, 2016
The stable channel has been updated to 49.0.2623.112 for Windows, Mac, and Linux.

A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 50.0.2661.75 of the Chrome browser.
Stable Channel Update
Wednesday, April 13, 2016
The Chrome team is delighted to announce the promotion of Chrome 50 to the stable channel for Windows, Mac and Linux.


Chrome 50.0.2661.75 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 50.


Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 20 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.


[$7500][590275] High CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous.
[$5000][589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han.
[591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. Credit to kdot working with HP's Zero Day Initiative.
[$1500][589512] Medium CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen of OUSPG.
[$1500][582008] Medium CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu.
[$500][570750] Medium CVE-2016-1656: Android downloaded file path restriction bypass. Credit to Dzmitry Lukyanenko.
[$1000][567445] Medium CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera.
[$500][573317] Low CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso (@asanso) of Adobe.


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. The total value of additional rewards and their recipients will updated here when all reports have gone through the reward panel.


As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [602697] CVE-2015-1659: Various fixes from internal audits, fuzzing and other initiatives.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.



Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 50.0.2661.87 of the Chrome browser.
Stable Channel Update
Wednesday, April 20, 2016
The stable channel has been updated to 50.0.2661.87 for Windows and 50.0.2661.86 for Mac, Linux .

A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Krishna Govind
Google Chrome
 
Google has released Version 50.0.2661.94 of the Chrome browser.
Stable Channel Update
Thursday, April 28, 2016
The stable channel has been updated to 50.0.2661.94 for Windows, Mac, and Linux.


Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 9 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.


[$3000][574802] High CVE-2016-1660: Out-of-bounds write in Blink. Credit to Atte Kettunen of OUSPG.
[$3000][601629] High CVE-2016-1661: Memory corruption in cross-process frames. Credit to Wadih Matar.
[$3000][603732] High CVE-2016-1662: Use-after-free in extensions. Credit to Rob Wu.
[$3000][603987] High CVE-2016-1663: Use-after-free in Blink’s V8 bindings. Credit to anonymous.
[$1000][597322] Medium CVE-2016-1664: Address bar spoofing. Credit to Wadih Matar.
[$1000][606181] Medium CVE-2016-1665: Information leak in V8. Credit to gksgudtjr456.


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.


As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [607652] CVE-2015-1666: Various fixes from internal audits, fuzzing and other initiatives.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 51.0.2704.63 of the Chrome browser.
Stable Channel Update
Wednesday, May 25, 2016

The Chrome team is delighted to announce the promotion of Chrome 51 to the stable channel for Windows, Mac and Linux.



Chrome 51.0.2704.63 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 51.


Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 42 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.


[$7500][590118] High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.
[$7500][597532] High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
[$7500][598165] High CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski.
[$7500][600182] High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
[$7500][604901] High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.
[$4000][602970] Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.
[$3500][595259] High CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler.
[$3500][606390] High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
[$3000][589848] High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.
[$3000][613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.
[$1000][579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime.
[$1000][583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
[$1000][583171] Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.
[$1000][601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
[$1000][603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
[$1000][603748] Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
[$1000][604897] Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
[$1000][606185] Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.
[$1000][608100] Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
[$500][597926] Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.
[$500][598077] Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.
[$500][598752] Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to jackwillzac.
[$500][603682] Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester.


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.


As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [614767] CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.

Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.



Krishna Govind
Google Chrome
 
Google has released Version 51.0.2704.79 of the Chrome browser.
Stable Channel Update
Wednesday, June 1, 2016
The stable channel has been updated to 51.0.2704.79 for Windows, Mac, and Linux.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 15 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.

[$7500][601073] High CVE-2016-1696: Cross-origin bypass in Extension bindings. Credit to anonymous.
[$7500][613266] High CVE-2016-1697: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
[$4000][603725] Medium CVE-2016-1698: Information leak in Extension bindings. Credit to Rob Wu.
[$3500][607939] Medium CVE-2016-1699: Parameter sanitization failure in DevTools. Credit to Gregory Panakkal.
[$1500][608104] Medium CVE-2016-1700: Use-after-free in Extensions. Credit to Rob Wu.
[$1000][608101] Medium CVE-2016-1701: Use-after-free in Autofill. Credit to Rob Wu.
[$1000][609260] Medium CVE-2016-1702: Out-of-bounds read in Skia. Credit to cloudfuzzer.

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [616539] CVE-2016-1703: Various fixes from internal audits, fuzzing and other initiatives.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.


A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 51.0.2704.106 of the Chrome browser.
Stable Channel Update
Thursday, June 23, 2016
The stable channel has been updated to 51.0.2704.106 for Windows, Mac, and Linux.


A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 52.0.2743.82 of the Chrome browser.
Stable Channel Update
Wednesday, July 20, 2016
The Chrome team is delighted to announce the promotion of Chrome 52 to the stable channel for Windows, Mac and Linux. Chrome 52.0.2743.82 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcomingChrome and Chromium blog posts about new features and big efforts delivered in 52.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 48 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.

[$15000][610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie
[$3000][622183] High CVE-2016-1707: URL spoofing on iOS. Credit to xisigr of Tencent's Xuanwu Lab
[$TBD][613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan
[$TBD][614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team
[$TBD][616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer
[$TBD][619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous
[$TBD][620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin
[$TBD][623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar
[$TBD][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer
[$1000][607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly
[$1000][613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor
[$500][593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone
[$500][605451] Medium CVE-2016-5135: Content-Security-Policy bypass. Credit to kingxwy
[$TBD][625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu
[$TBD][625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:

[629852] CVE-2016-1705: Various fixes from internal audits, fuzzing and other initiatives.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer,Control Flow Integrity or LibFuzzer.
Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Krishna Govind
Google Chrome
 
Google has released Version 52.0.2743.116 of the Chrome browser.
Stable Channel Update for Desktop
Wednesday, August 3, 2016
The stable channel has been updated to 52.0.2743.116 for Windows, Mac, and Linux. This will roll out over the coming days/weeks.
Security Fixes and Rewards


Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 10 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.


[$4000][629542] High CVE-2016-5141 Address bar spoofing. Credit to Sergey Glazunov
[$4000][626948] High CVE-2016-5142 Use-after-free in Blink. Credit to Sergey Glazunov
[$3000][625541] High CVE-2016-5139 Heap overflow in pdfium. Credit to GiWan Go of Stealien
[$3500][619405] High CVE-2016-5140 Heap overflow in pdfium. Credit to Ke Liu of Tencent's Xuanwu LAB
[$4000][623406] Medium CVE-2016-5145 Same origin bypass for images in Blink. Credit to Sergey Glazunov
[$1000][619414] Medium CVE-2016-5143 Parameter sanitization failure in DevTools. Credit to Gregory Panakkal
[$1000][618333] Medium CVE-2016-5144 Parameter sanitization failure in DevTools. Credit to Gregory Panakkal


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.


As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [633486] CVE-2016-5146: Various fixes from internal audits, fuzzing and other initiatives.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.

A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 53.0.2785.89 of the Chrome browser.
Stable Channel Update for Desktop
Wednesday, August 31, 2016
The Chrome team is delighted to announce the promotion of Chrome 53 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.


Chrome 53.0.2785.89 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 53.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 33 security fixes Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information


[$7500][628942] High CVE-2016-5147: Universal XSS in Blink. Credit to anonymous
[$7500][621362] High CVE-2016-5148: Universal XSS in Blink. Credit to anonymous
[$7500][573131] High CVE-2016-5149: Script injection in extensions. Credit to Max Justicz (Max Justicz)
[$5000][637963] High CVE-2016-5150: Use after free in Blink. Credit to anonymous
[$5000][634716] High CVE-2016-5151: Use after free in PDFium. Credit to anonymous
[$5000][629919] High CVE-2016-5152: Heap overflow in PDFium. Credit to GiWan Go of Stealien
[$3500][631052] High CVE-2016-5153: Use after destruction in Blink. Credit to Atte Kettunen of OUSPG
[$3000][633002] High CVE-2016-5154: Heap overflow in PDFium. Credit to anonymous
[$3000][630662] High CVE-2016-5155: Address bar spoofing. Credit to anonymous
[$3000][625404] High CVE-2016-5156: Use after free in event bindings. Credit to jinmo123
[$TBD][632622] High CVE-2016-5157: Heap overflow in PDFium. Credit to anonymous
[$TBD][628890] High CVE-2016-5158: Heap overflow in PDFium. Credit to GiWan Go of Stealien
[$TBD][628304] High CVE-2016-5159: Heap overflow in PDFium. Credit to GiWan Go of Stealien
[$n/a][622420] Medium CVE-2016-5161: Type confusion in Blink. Credit to 62600BCA031B9EB5CB4A74ADDDD6771E working with Trend Micro's Zero Day Initiative
[$n/a][589237] Medium CVE-2016-5162: Extensions web accessible resources bypass. Credit to Nicolas Golubovic
[$3000][609680] Medium CVE-2016-5163: Address bar spoofing. Credit to Rafay Baloch PTCL Etisalat (http://rafayhackingarticles.net)
[$2000][637594] Medium CVE-2016-5164: Universal XSS using DevTools. Credit to anonymous
[$1000][618037] Medium CVE-2016-5165: Script injection in DevTools. Credit to Gregory Panakkal
[$TBD][616429] Medium CVE-2016-5166: SMB Relay Attack via Save Page As. Credit to Gregory Panakkal
[$500][576867] Low CVE-2016-5160: Extensions web accessible resources bypass. Credit to @l33terally, FogMarks.com (@FogMarks)


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.


As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [642598] CVE-2016-5167: Various fixes from internal audits, fuzzing and other initiatives.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.



Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome

Ref:
Chrome Releases: Stable Channel Update for Desktop
 
Google has released Version 53.0.2785.101 of the Chrome browser.
Stable Channel Update for Desktop
Wednesday, September 7, 2016
The stable channel has been updated to 53.0.2785.101 for Windows, Mac, and Linux. This will roll out over the coming days/weeks (MSI points to M53)


A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 53.0.2785.113 of the Chrome browser.
Stable Channel Update for Desktop
Tuesday, September 13, 2016
The stable channel has been updated to 53.0.2785.113 for Windows, Mac, and Linux. This will roll out over the coming days/weeks (MSI points to M53).

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes these security fixes. Below, we highlight fixes that were contributed by external researchers, including those not already mentioned in recent release notes. Please see the Chrome Security Page for more information


[$TBD][641101] High CVE-2016-5170: Use after free in Blink. Credit to Anonymous
[$TBD][643357] High CVE-2016-5171: Use after free in Blink. Credit to Anonymous
[$TBD][616386] Medium CVE-2016-5172: Arbitrary Memory Read in v8. Credit to Choongwoo Han
[$3000][468931] Medium CVE-2016-5173: Extension resource access. Credit to Anonymous
[$1000][579934] Medium CVE-2016-5174: Popup not correctly suppressed. Credit to Andrey Kovalev (@L1kvID) Yandex Security Team


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.


As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [646394] CVE-2016-5175: Various fixes from internal audits, fuzzing and other initiatives.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.


A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Google has released Version 53.0.2785.143 of the Chrome browser.
Stable Channel Update for Desktop
Thursday, September 29, 2016
The stable channel has been updated to 53.0.2785.143 for Windows, Mac, and Linux. This will roll out over the coming days/weeks.
Security Fixes and Rewards
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 3 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information


[$5000][642496] High CVE-2016-5177: Use after free in V8. Credit to Anonymous


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.


As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [651092] CVE-2016-5178: Various fixes from internal audits, fuzzing and other initiatives.


A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome
 
Back
Top Bottom