Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier. Google Chrome version 21.0.1180.60 (21.0.1180.57 for Mac and Linux) is out, fixing 15 security vulnerabilities in the search giant’s browser. Strictly from a security perspective, you should upgrade as soon as possible and download the latest version of Chrome directly from google.com/chrome.
Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.
- [Linux only]  Medium CVE-2012-2846: Cross-process interference in renderers. Credit to Google Chrome Security Team (Julien Tinnes).
-  Low CVE-2012-2847: Missing re-prompt to user upon excessive downloads. Credit to Matt Austin of Aspect Security.
-  Medium CVE-2012-2848: Overly broad file access granted after drag+drop. Credit to Matt Austin of Aspect Security.
-  Low CVE-2012-2849: Off-by-one read in GIF decoder. Credit to Atte Kettunen of OUSPG.
-          Medium CVE-2012-2850: Various lower severity issues in the PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
-    High CVE-2012-2851: Integer overflows in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
-  High CVE-2012-2852: Use-after-free with bad object linkage in PDF. Credit to Alexey Samsonov of Google.
-  Medium CVE-2012-2853: webRequest can interfere with the Chrome Web Store. Credit to Trev of Adblock.
-  Low CVE-2012-2854: Leak of pointer values to WebUI renderers. Credit to Nasko Oskov of the Chromium development community.
-  High CVE-2012-2855: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
-   High CVE-2012-2856: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
- [$1000]  High CVE-2012-2857: Use-after-free in CSS DOM. Credit to Arthur Gerkis.
- [$1000]  High CVE-2012-2858: Buffer overflow in WebP decoder. Credit to Jüri Aedla.
- [Linux only]  Critical CVE-2012-2859: Crash in tab handling. Credit to Jeff Roberts of Google Security Team.
-  Medium CVE-2012-2860: Out-of-bounds access when clicking in date picker. Credit to Chamal de Silva.
For Chrome 21, Google paid security researchers a grand total $2,000 in rewards as part of its bug bounty program. This payout is smaller than usual since Google found most of the vulnerabilities this time, using its own AddressSanitizer tool.
Still, Mountain View recently quintupled its maximum bug bounty to $20,000. The company has so far received about 800 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by 50 or so firms it has acquired. In just over a year, the program has paid out around $460,000 to roughly 200 individuals.
For the record, Google Chrome 20 was released just five weeks ago (and then updated again three weeks ago). At the time, I expected Chrome 21 to be released “sometime in August.” It turns out I was off by a day.