Chrome on stable channel has been updated to 8.0.552.237 for all platforms. Chrome OS has also been updated, to 8.0.552.334. These releases contain the security fixes listed below.

Security fixes and rewards:

Please see

the Chromium security page

for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

We’re delighted to offer our first “elite” $

3133.7

Chromium Security Reward

to Sergey Glazunov. Critical bugs are harder to come by in Chrome, but Sergey has done it. Sergey also collects a $

1

3

3

7

reward and several other rewards at the same time, so congratulations Sergey!

Also of note is a clarification on our default charity policy. Some researchers are unable to accept rewards, or even provide a suggestion for a charity. In such cases, it feels like a shame to lose a charitable contribution so we will default reward money to the Red Cross.

[ 58053 ] Medium Browser crash in extensions notification handling. Credit to Eric Roman of the Chromium development community.

[$ 1 3 3 7 ] [ 65764 ] High Bad pointer handling in node iteration. Credit to Sergey Glazunov.

[ 66334 ] High Crashes when printing multi-page PDFs. Credit to Google Chrome Security Team (Chris Evans).

[$ 1000 ] [ 66560 ] High Stale pointer with CSS + canvas. Credit to Sergey Glazunov.

[$ 500 ] [ 66748 ] High Stale pointer with CSS + cursors. Credit to Jan Tošovský.

[ 67100 ] High Use after free in PDF page handling. Credit to Google Chrome Security Team (Chris Evans).

[$ 1000 ] [ 67208 ] High Stack corruption after PDF out-of-memory condition. Credit to Jared Allar of CERT.

[$ 1000 ] [ 67303 ] High Bad memory access with mismatched video frame sizes. Credit to Aki Helin of OUSPG; plus independent discovery by Google Chrome Security Team (SkyLined) and David Warren of CERT.

[$ 500 ] [ 67363 ] High Stale pointer with SVG use element. Credited anonymously; plus indepdent discovery by miaubiz.

[$ 1000 ] [ 67393 ] Medium Uninitialized pointer in the browser triggered by rogue extension. Credit to kuzzcc.

[$ 1000 ] [ 68115 ] High Vorbis decoder buffer overflows. Credit to David Warren of CERT.

[$ 1000 ] [ 68170 ] High Buffer overflow in PDF shading. Credit to Aki Helin of OUSPG.

[$ 1000 ] [ 68178 ] High Bad cast in anchor handling. Credit to Sergey Glazunov.

[$ 1000 ] [ 68181 ] High Bad cast in video handling. Credit to Sergey Glazunov.

[$ 1000 ] [ 68439 ] High Stale rendering node after DOM node removal. Credit to Martin Barbella; plus independent discovery by Google Chrome Security Team (SkyLined).

[$ 3133.7 ] [ 68666 ] Critical Stale pointer in speech handling. Credit to Sergey Glazunov.

Full details about the Chrome changes are available in the

SVN revision log

. If you find new issues, please let us know by

filing a bug

. Want to change to another Chrome release channel?

Find out how

.

Jason Kersey

Google Chrome