Chrome Release Fixes Security Holes
Friday, September 4, 2015 @ 04:09 PM gHale
Google released Chrome 45 for Windows, Mac, and Linux this week, patching 29 vulnerabilities.
Ten of the 29 security issues ended up reported by external researchers.
Six of the vulnerabilities reported by external researchers ended up rated high severity, Google said.
The list includes cross-origin bypass flaws in DOM (CVE-2015-1291, CVE-2015-1293), a cross-origin bypass in Service Worker (CVE-2015-1292), use-after-free flaws in Skia (CVE-2015-1294) and Printing (CVE-2015-1295), and a character spoofing bug in the Omnibox address bar (CVE-2015-1296).
Google has paid out $7,500 for each of the cross-origin bypass vulnerabilities, $5,000 for the use-after-free in Skia, $3,000 for the use-after-free in Printing, and $1,000 for the Omnibox spoofing issue.
The medium impact flaws patched with the release of Chrome 45.0.2454.85 are a permission scoping error in WebRequests, a URL validation error in extensions, and information leak and use-after-free bugs in the Blink web browser engine.
The vulnerabilities fixed in Chrome 45 ended up reported by anonymous researchers, Mariusz Mlynski, Rob Wu, Alexander Kashev, and experts using the online monikers taro.suzuki.dev, cgvwzq, cloudfuzzer, and zcorpan.
The amount of money paid out by Google so far to those who contributed to making Chrome more secure is $40,500, but not all vulnerabilities underwent review by the search giant’s reward panel.
Google’s own security team has also identified many flaws through internal audits, fuzzing and other initiatives.
With the release of Chrome 45, Google has also started killing Flash ads. The company decided to pause certain plugin content, including Flash ads, in an effort to improve performance and reduce power consumption.