High Severity Issues Fixed in Chrome

Tuesday, June 30, 2015 @ 04:06 PM gHale

Google released the stable version of the Chrome browser, delivering fixes for high severity security flaws.

The list of issues is partially available, with only four released by the developer, two of them representing a high risk.

Unpatched IE11 Vulnerability Released
Chrome Exploit Changes DNS Servers
Safari Browser Spoofing Potential
Apple Fixes Webkit Flaws in Safari

A researcher who chose to remain anonymous reported to Google a scheme validation error in WebUI, now tracked as CVE-2015-1266, and received a reward of $5,000.

Another high severity problem came from Mariusz Mlynski, a security researcher from Poland who managed at this year’s Pwn2Own hacking competition to exploit a cross-origin vulnerability in Mozilla Firefox and achieve privilege escalation within the browser in less than a second.

The bug in Chrome consists in a cross-origin bypass in the browser’s layout engine, Blink, and has been assigned the CVE identifier CVE-2015-1268.

The other two issues repaired in the latest Chrome are medium severity and refer to another cross-origin bypass (credited to an anonymous reporter) and a normalization error in HSTS/HPKP preload list, reported by researcher Mike Ruddy.

Chrome 43.0.2357.130 is available for Windows, Mac and Linux and it addresses a larger number of vulnerabilities.