Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 46 Patches Vulnerabilities, Simplifies Page Security Icon

Google announced on Tuesday the release of Chrome 46, a version that patches several serious vulnerabilities and simplifies the security icon displayed for each website.

Google announced on Tuesday the release of Chrome 46, a version that patches several serious vulnerabilities and simplifies the security icon displayed for each website.

The stable channel of Chrome 46 for Windows, Mac and Linux resolves a total of 24 security issues, some of which have been reported by external researchers.

The list of high severity flaws patched by Google includes a cross-origin bypass in the Blink rendering engine (CVE-2015-6755), a use-after-free in PDFium (CVE-2015-6756), a use-after-free in ServiceWorker (CVE-2015-6757), and a bad cast issue in PDFium (CVE-2015-6758).

Mariusz Mlynski received the largest payout, $8,837, for the cross-origin bypass in Blink, followed by an anonymous researcher who got $6,337 for the use-after-free in PDFium. Collin Payne earned $3,500 for the ServiceWorker flaw, while Atte Kettunen was awarded $3,000 for the bad cast issue.

The medium severity flaws reported by bounty hunters are an information leakage bug in LocalStorage found by Muneaki Nishimura (CVE-2015-6759), an improper error handling issue in libANGLE reported by lastland.net (CVE-2015-6760), and memory corruption vulnerabilities in FFMpeg found by Aki Helin and an anonymous researcher (CVE-2015-6761).

The work of Google’s own security team resulted in various fixes and the patching of multiple flaws in the V8 open source JavaScript engine.

So far Google has paid out a total of nearly $25,000 to researchers who contributed to making Chrome more secure, but the amount could increase after all the vulnerabilities are analyzed by the Internet giant’s reward panel.

Google also announced on Tuesday that Chrome 46 brings some changes to the way users are informed about page security. Up until now, HTTPS sites that had minor errors were shown in the browser’s address bar with a yellow “caution triangle” badge.

From now on, the icon for HTTPS sites with minor errors will be the same as for HTTP websites. By doing so, Google wants to reduce the number of page security states Chrome users have to learn, and encourage website operators to speed up migration to proper HTTPS.

“We’ve come to understand that our yellow ‘caution triangle’ badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users. For developers and other interested users, it will still be possible to tell the difference by checking whether the URL begins with ‘https://’,” the Chrome security team explained in a blog post.

In the future, Google plans on having only two security icons in Chrome: one for secure sites, and one for non-secure sites.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.