Google Chrome update fixes 12 vulnerabilities and patches Flash Player

Google released a new version of its Chrome browser in order to update the bundled Flash Player plug-in and address serious security vulnerabilities.

Google Chrome 17.0.963.56 fixes 12 security flaws, seven of which are considered high severity, four of medium severity and one of low severity.

Security researcher Jüri Aedla received a special $1,337 reward for discovering and reporting an integer overflow vulnerability in libpng, the library used by Chrome to process PNG images.

Other high-severity flaws were identified in the browser's PDF codecs, its subframe loading, h.264 parsing and path rendering components, as well as its MKV, database, column and counter node handling code.

In theory these vulnerabilities should be considered critical because they could facilitate the remote execution of arbitrary code on the targeted systems.

However, because Google Chrome has a sandboxed architecture, exploiting these vulnerabilities alone would not provide attackers with the necessary level of access to run malicious code.

Six vulnerabilities patched in this release were discovered with the help of an open-source tool called AddressSanitizer, Google Chrome engineer Jason Kersey said in a blog post on February 15.

Chrome 17.0.963.56 also includes a new Flash Player version that Adobe released earlier this week, Kersey said. The Flash Player update addresses seven critical security flaws.

Google paid a total of $6,837 to security researchers who reported vulnerabilities patched in this release. The company recently expanded its Chromium Security Rewards Program to also cover vulnerabilities found in Chrome OS.