Google pays out $6,000 in bounties in Chrome 16 update

Google has patched 15 vulnerabilities in Chrome, paying $6,000 in bounties to bug hunters who reported some of them, and updated the browser to version 16.

The one new feature in the upgrade that Google called out was multi-user synchronisation of bookmarks, passwords and apps.

Google last refreshed Chrome on October 25. Google produces an update to its "stable" channel about every six to eight weeks, a slightly more flexible schedule than rival Mozilla's every-six-week pace.

Six of the 15 vulnerabilities patched were rated "high," the second-most-serious ranking in Google's system, while seven were labelled "medium" and another two were tagged as "low."

Google paid $6,000 in bounties, less than a quarter of what it laid out in October, to five researchers for reporting seven bugs. The eight other vulnerabilities were uncovered by members of Google's own security team, developers who contribute to the open source Chromium project - which feeds code to Chrome - or were ranked low and so not eligible for a bonus.

The company has paid just over $180,000 so far this year in bounties to outside researchers.

Several of the bugs, including a pair attributed to independent researcher Arthur Gerkis - who earned $2,000 for his work - were found using Google's memory error detection tool, AddressSanitizer. Released in June, AddressSanitizer can detect a variety of errors, including "use-after-free" memory management bugs like those reported by Gerkis.

Four of the flaws were related to Google's parsing of PDF documents - the browser includes a built-in PDF viewer, eliminating the need to launch Adobe's free Reader application - while two others were found in Chrome's processing of SVG (scalar vector graphics) images.

Per its usual practice, Google blocked access to its bug tracking database for all 15 vulnerabilities to prevent outsiders from obtaining details that could be used to craft exploits. Google typically opens up the database weeks or even months later, after it's sure a majority of users have had their browsers upgraded by Chrome's silent updating process.

Google usually includes only a handful of obvious changes in each Chrome upgrade, and held to that practice yesterday: The only feature it touted was the option to add additional users to Chrome so that several people could use the browser on a shared Mac or PC, but keep their synchronised content - bookmarks, passwords, installed apps, and more - separate.

The multi-use sync debuted in early November in a beta of Chrome 16.

Chrome 16 can now separately sync bookmarks and passwords for several people who share one computer.

According to Irish metrics company StatCounter, Chrome accounted for nearly 26% of all browsers used last month, enough to pass Firefox and take second place behind Microsoft's Internet Explorer.

Another measurement firm, US-based Net Applications, still had Chrome behind Firefox, but projections based on its data showed that Google's browser would jump Mozilla's no later than May 2012.

Chrome 16 can be downloaded for Windows, Mac OS X and Linux from Google's website. Users already running the browser will be updated automatically via the browser's behind-the-scenes service.