Sales
0161 215 3700
0800 458 4545
Support
0800 230 0032
0161 215 3711
Fast Chat

Welcome to UKFast, do you have a question? Our hosting experts have the answers.

Sarah Wilson UKFast | Account Manager

Google Chrome Holes Fixed Before Black Hat Conference

Google Chrome Holes Fixed Before Black Hat Conference

Just before the Black Hat security conference begins, Google has patched seven secuity holes in its stable version of Chrome and begun an effort to speed up the software industry's response to such vulnerabilities.

Google paid two $1,337 bounties for work that let Chrome avoid critical security problems by sidestepping vulnerabilities in Windows and the widely used glibc software library, according to a Monday blog post about Chrome 5.0.375.125 by Jason Kersey of Google's Chrome team.

Also through its program to reward those who find Chrome security holes, Google paid those who found three high-risk vulnerabilities and one medium-risk vulnerability. The final issue, a low-risk problem, elicited no payment.

That incentive program got more serious in July, when Google announced a new maximum reward of $3,133.7 for severe bugs. (If you're not in on the leetspeak joke, that means "eleet," better than the mere "leet" level that was attainable before.)

Google is trying to steer the security agenda in more ways than just paying those who find holes. In a blog post last week by a group of Googlers, Google called for reform to the "responsible disclosure" practice for sharing newly discovered vulnerabilities.

With responsible disclosure, a security researcher privately notifies a software maker of the vulnerability, announcing it only when the software maker has a fix ready. It contrasts with full disclosure, which gives no such grace period but which also lets users of the software know as soon as possible they may be affected. After all, a computer attacker might have discovered the vulnerability independently and could be exploiting it before the software company has a fix prepared.

"We've seen an increase in vendors invoking the principles of "responsible" disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," the Googlers said in a blog post last week.

"We believe that responsible disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale," they said. "Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software."


print this article

Return to security news headlines
View Security News Archive

Share with: