Google announced on Tuesday the release of Chrome 46, a version that patches several serious vulnerabilities and simplifies the security icon displayed for each website.
The stable channel of Chrome 46 for Windows, Mac and Linux resolves a total of 24 security issues, some of which have been reported by external researchers.
The list of high severity flaws patched by Google includes a cross-origin bypass in the Blink rendering engine (CVE-2015-6755), a use-after-free in PDFium (CVE-2015-6756), a use-after-free in ServiceWorker (CVE-2015-6757), and a bad cast issue in PDFium (CVE-2015-6758).
Mariusz Mlynski received the largest payout, $8,837, for the cross-origin bypass in Blink, followed by an anonymous researcher who got $6,337 for the use-after-free in PDFium. Collin Payne earned $3,500 for the ServiceWorker flaw, while Atte Kettunen was awarded $3,000 for the bad cast issue.
The medium severity flaws reported by bounty hunters are an information leakage bug in LocalStorage found by Muneaki Nishimura (CVE-2015-6759), an improper error handling issue in libANGLE reported by lastland.net (CVE-2015-6760), and memory corruption vulnerabilities in FFMpeg found by Aki Helin and an anonymous researcher (CVE-2015-6761).
The work of Google’s own security team resulted in various fixes and the patching of multiple flaws in the V8 open source JavaScript engine.
So far Google has paid out a total of nearly $25,000 to researchers who contributed to making Chrome more secure, but the amount could increase after all the vulnerabilities are analyzed by the Internet giant’s reward panel.
Google also announced on Tuesday that Chrome 46 brings some changes to the way users are informed about page security. Up until now, HTTPS sites that had minor errors were shown in the browser’s address bar with a yellow “caution triangle” badge.
From now on, the icon for HTTPS sites with minor errors will be the same as for HTTP websites. By doing so, Google wants to reduce the number of page security states Chrome users have to learn, and encourage website operators to speed up migration to proper HTTPS.
“We’ve come to understand that our yellow ‘caution triangle’ badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users. For developers and other interested users, it will still be possible to tell the difference by checking whether the URL begins with ‘https://’,” the Chrome security team explained in a blog post.
In the future, Google plans on having only two security icons in Chrome: one for secure sites, and one for non-secure sites.
