Google Fixes 12 Chrome Vulnerabilities

Friday, August 15, 2014 @ 03:08 PM gHale


Google rolled out version 36 of the Chrome browser for Windows, Mac and Linux, including a set of security fixes, along with the latest revision of Flash Player.

Twelve vulnerabilities ended up fixed in this release, with some found by external security researchers, who earned cash for their efforts through Google’s bug bounty program.

RELATED STORIES
Security Updates for Firefox
IE Browser of Choice for Attacks
Flaw in Chrome Speech Recognition API
Chrome Update Includes 31 Security Fixes

For a use-after-free security flaw (CVE-2014-3165) in web sockets, Google paid $2,000 to researcher Collin Payne; additional information about this flaw is not available right now.

From another external researcher, the Google team received details about a security glitch that could lead to information disclosure in SPDY. Identified as CVE-2014-3166, the discovery goes to Antoine Delignat-Lavaud, second year PhD student in team Prosecco at Inria Paris.

In order to prevent the information leakage, Chrome developers decided to disable SPDY and QUIC session pooling in the latest revision of the web browser.

SPDY is a network protocol designed to increase page load speed and security, by manipulating HTTP traffic.

Disabling it translates to the user into slower page loads on websites using this protocol, but the latency is not as significant as to affect browsing at all.

Additional input came from the internal security team, who discovered an undisclosed number of glitches through internal audits or code fuzzing operations.

Build 36.0.1985.143 of the web browser also updates the Adobe Flash Player plug-in to the recently released version 14.0.0.177.

Adobe patched seven critical vulnerabilities, most of them referring to memory leaks that could end up taken advantage of for bypassing memory protection mechanisms (address randomization).



Leave a Reply

You must be logged in to post a comment.