The list of high severity flaws patched by Google and discovered by outside researchers includes a cross-origin bypass in the Blink rendering engine, a use-after-free in PDFium, a use-after-free in ServiceWorker and a bad cast issue in PDFium.
The medium severity flaws found from outside researchers are an information leakage bug in LocalStorage, an improper error handling issue in libANGLE and memory corruption vulnerabilities in FFMpeg.
Google said Chrome 46 changes the way users learn about page security. Under the old way, HTTPS sites that had minor errors had little yellow “caution triangle” badges.
From now on, though, the icon for HTTPS sites with minor errors will be the same as for HTTP websites. By doing so, Google wants to reduce the number of icons Chrome users have to learn, and encourage website operators to speed up migration to proper HTTPS.
“We’ve come to understand that our yellow ‘caution triangle’ badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users. For developers and other interested users, it will still be possible to tell the difference by checking whether the URL begins with ‘https://’,” Chrome officials said in a blog post.