Google released Chrome 49 in the stable channel for Windows, Mac and Linux, providing users with 26 security fixes and various other improvements.
The new browser release is available as version 49.0.2623.75 and was meant to resolve 8 High severity vulnerabilities and five Medium ones reported by external researchers. Google hasn’t released information on all of the flaws patched in this update, but did reveal that it paid nearly $40,000 in bug bounties, with an additional $14,500 in rewards issued for security bugs present on non-stable channels.
One of the most important vulnerabilities in this release was a same-origin bypass flaw in Blink (CVE-2016-1630) and a same-origin bypass in Pepper Plugin (CVE-2016-1631), which earned Mariusz Mlynski $8,000 and $7,500, respectively. Next in line was a bad cast in Extensions (CVE-2016-1632) valued at $5,000, which was disclosed by an anonymous researcher.
Two use-after-free in Blink flaws (CVE-2016-1633 and CVE-2016-1634) were disclosed by cloudfuzzer and were valued at $3,000, while a third similar vulnerability (CVE-2016-1635) earned Rob Wu $2,000. Google paid an additional $2,000 for a SRI Validation Bypass issue (CVE-2016-1636) and $500 for an out-of-bounds access in libpng flaw (CVE-2015-8126).
The most valuable Medium severity vulnerability patched in Chrome 49 was an information leak in Skia flaw, which earned Keve Nagy $2,000. Google also resolved three Medium severity issues valued at $1,000 each, namely WebAPI Bypass (CVE-2016-1638), Use-after-free in WebRTC (CVE-2016-1639), and origin confusion in Extensions UI (CVE-2016-1640), which were discovered by Rob Wu, Khalil Zhani, and Luan Herrera, respectively.
The fifth Medium severity flaw patched in Chrome 49 that was signaled to Google by an external researcher was a Use-after-free in Favicon issue (CVE-2016-1641) that earned Atte Kettunen of OUSPG a $500 reward.
According to Google, its internal testers were also responsible for a series of fixes in the new browser release. Among these, the company includes various fixes from internal audits, fuzzing and other initiatives (CVE-2016-1642) and notes that multiple vulnerabilities in V8 were fixed at the tip of the 4.9 branch (currently 4.9.385.26).