Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 46 Patches Vulnerabilities, Simplifies Page Security Icon

Google announced on Tuesday the release of Chrome 46, a version that patches several serious vulnerabilities and simplifies the security icon displayed for each website.

Google announced on Tuesday the release of Chrome 46, a version that patches several serious vulnerabilities and simplifies the security icon displayed for each website.

The stable channel of Chrome 46 for Windows, Mac and Linux resolves a total of 24 security issues, some of which have been reported by external researchers.

The list of high severity flaws patched by Google includes a cross-origin bypass in the Blink rendering engine (CVE-2015-6755), a use-after-free in PDFium (CVE-2015-6756), a use-after-free in ServiceWorker (CVE-2015-6757), and a bad cast issue in PDFium (CVE-2015-6758).

Mariusz Mlynski received the largest payout, $8,837, for the cross-origin bypass in Blink, followed by an anonymous researcher who got $6,337 for the use-after-free in PDFium. Collin Payne earned $3,500 for the ServiceWorker flaw, while Atte Kettunen was awarded $3,000 for the bad cast issue.

The medium severity flaws reported by bounty hunters are an information leakage bug in LocalStorage found by Muneaki Nishimura (CVE-2015-6759), an improper error handling issue in libANGLE reported by lastland.net (CVE-2015-6760), and memory corruption vulnerabilities in FFMpeg found by Aki Helin and an anonymous researcher (CVE-2015-6761).

The work of Google’s own security team resulted in various fixes and the patching of multiple flaws in the V8 open source JavaScript engine.

So far Google has paid out a total of nearly $25,000 to researchers who contributed to making Chrome more secure, but the amount could increase after all the vulnerabilities are analyzed by the Internet giant’s reward panel.

Google also announced on Tuesday that Chrome 46 brings some changes to the way users are informed about page security. Up until now, HTTPS sites that had minor errors were shown in the browser’s address bar with a yellow “caution triangle” badge.

Advertisement. Scroll to continue reading.

From now on, the icon for HTTPS sites with minor errors will be the same as for HTTP websites. By doing so, Google wants to reduce the number of page security states Chrome users have to learn, and encourage website operators to speed up migration to proper HTTPS.

“We’ve come to understand that our yellow ‘caution triangle’ badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users. For developers and other interested users, it will still be possible to tell the difference by checking whether the URL begins with ‘https://’,” the Chrome security team explained in a blog post.

In the future, Google plans on having only two security icons in Chrome: one for secure sites, and one for non-secure sites.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.