Chrome 42 Releases; 45 Flaws Fixed

Thursday, April 16, 2015 @ 03:04 PM gHale


Chrome 42 for Windows, Mac and Linux is now up and running and this latest release fixes 45 security issues and removes NPAPI support, said Google officials.

The most serious vulnerability fixed in Chrome 42 is a cross-origin bypass flaw in the HTML parser (CVE-2015-1235). The discovery of this high severity bug earned an anonymous researcher $7,500.

RELATED STORIES
Google Bans Bad Extensions from Chrome
Google Disavows CNNIC Certificates
Apple Fixes Safari Holes
Google Fixes Holes in Chrome Release

The list of high severity vulnerabilities also includes a type confusion in V8 (CVE-2015-1242) reported by Cole Forrester of Onshape, a use-after-free in IPC (CVE-2015-1237) reported by Khalil Zhani, and an out-of-bounds write bug in the Skia graphics engine (CVE-2015-1238) identified by cloudfuzzer.

The medium severity security issues reported by external researchers are a cross-origin-bypass in the Blink web browser engine, an out-of-bounds read in WebGL, a use-after-free in PDFium, a tap-jacking flaw, an HSTS bypass in WebSockets, an out-of-bounds read in Blink, scheme issues in OpenSearch, and a SafeBrowsing bypass.

The researchers who contributed to making Chrome more secure gained $21,500, according to Google blog post.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Alex Mineer of the Google Chrome team.

In September 2013, Google said it would phase out support for the Netscape Plugin API (NPAPI). The company noted at the time the API’s 90s-era architecture was causing crashes, security issues and other problems.

In January 2014, Google blocked web page-instantiated NPAPI plugins by default, but whitelisted some of the most popular applications, such as Silverlight, Unity, Google Earth, Google Talk, and Facebook Video. Java was also on the list of most popular plugins using NPAPI, but it ended up disabled earlier for security reasons.

Now, NPAPI support is out by default in Chrome and extensions requiring NPAPI plugins will end up removed from the Chrome Web Store. Advanced users and enterprises can temporarily re-enable NPAPI until the plugins they use transition to alternative technologies.

Starting with Chrome 45, scheduled to release in September, this override will end up removed and NPAPI support will go away forever.



Leave a Reply

You must be logged in to post a comment.