Nov 4, 2010 13:40 GMT  ·  By

Google has updated the stable version of its Chrome browser to 7.0.517.44, which addresses a number of nine high risk security vulnerabilities, but doesn't fix the vulnerable Flash Player plug-in.

Regular contributor wushi, of team509, discovered two of the vulnerabilities and received $1,000 for each of them through the Chromium vulnerability reward program.

The two bugs are described as a memory corruption with enormous text area and an out-of-bounds array access in SVG handling.

Another researcher known as kuzzcc, who is actively involved in Chrome security, was awarded $1,000 for discovering a bad cast with the SVG use element.

Aki Helin of OUSPG, who is already  listed in the Chromium Security Hall of Fame along with wushi and kuzzcc, received a $1,000 reward for an integer overflow vulnerability in font handling, which only affects Chrome on Linux.

Researcher Bui Quang Minh from Vietnamese security vendor Bach Khoa Internetwork Security (Bkis) found a invalid memory read in XPath handling.

An use-after-free vulnerability in text editing was identified by David Bloom, Cris Neckar, and Inferno, of the Google Chrome Security Team.

Inferno is also credited along with a bug hunter, calling himself fam.lam, for finding a high risk flaw involving type confusions with event objects.

Another high-risk use-after-free vulnerability in text control selections was discovered by a researcher referred to as "vkouchna."

A memory corruption flaw in libpvx was found by Christoph Diehl, while a bad use of destroyed frame object condition is attributed to "gundlach" and other developers.

Interestingly enough, the Flash plug-in integrated in Chrome has not been updated, even though a Flash Player patch for a critical zero-day vulnerability is expected to land today.

It's not yet clear if Google plans to apply this fix by releasing another Chrome stable version, which would seem a bit redundant, or if it has a mechanism in place to only update the Flash plug-in. Update November 4: Google Chrome 7.0.517.44 also patches a critical Flash vulnerability currently exploited in the wild by updating its integrated Flash Player plug-in from version 10.1.85.3 to 10.1.103.19.

Google Chrome 7.0.517.44 for Windows can be downloaded here.

Google Chrome 7.0.517.44 for Linux can be downloaded here.

Google Chrome 7.0.517.44 for Mac can be downloaded here.

Originally, this article incorrectly stated that Chrome did not update its Flash plug-in. The editor checked this aspect on a clean installation of Chrome downloaded via Google's normal distribution channel. However, the version of the downloaded product was 7.0.517.41, despite the company's Stable update announcement.