Google announced on Tuesday the release of Chrome 46, a version that patches several serious vulnerabilities and simplifies the security icon displayed for each website.
The stable channel of Chrome 46 for Windows, Mac and Linux resolves a total of 24 security issues, some of which have been reported by external researchers.
The list of high severity flaws patched by Google includes a cross-origin bypass in the Blink rendering engine (CVE-2015-6755), a use-after-free in PDFium (CVE-2015-6756), a use-after-free in ServiceWorker (CVE-2015-6757), and a bad cast issue in PDFium (CVE-2015-6758).
Mariusz Mlynski received the largest payout, $8,837, for the cross-origin bypass in Blink, followed by an anonymous researcher who got $6,337 for the use-after-free in PDFium. Collin Payne earned $3,500 for the ServiceWorker flaw, while Atte Kettunen was awarded $3,000 for the bad cast issue.
The medium severity flaws reported by bounty hunters are an information leakage bug in LocalStorage found by Muneaki Nishimura (CVE-2015-6759), an improper error handling issue in libANGLE reported by lastland.net (CVE-2015-6760), and memory corruption vulnerabilities in FFMpeg found by Aki Helin and an anonymous researcher (CVE-2015-6761).
The work of Google’s own security team resulted in various fixes and the patching of multiple flaws in the V8 open source JavaScript engine.
So far Google has paid out a total of nearly $25,000 to researchers who contributed to making Chrome more secure, but the amount could increase after all the vulnerabilities are analyzed by the Internet giant’s reward panel.
Google also announced on Tuesday that Chrome 46 brings some changes to the way users are informed about page security. Up until now, HTTPS sites that had minor errors were shown in the browser’s address bar with a yellow “caution triangle” badge.
From now on, the icon for HTTPS sites with minor errors will be the same as for HTTP websites. By doing so, Google wants to reduce the number of page security states Chrome users have to learn, and encourage website operators to speed up migration to proper HTTPS.
“We’ve come to understand that our yellow ‘caution triangle’ badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users. For developers and other interested users, it will still be possible to tell the difference by checking whether the URL begins with ‘https://’,” the Chrome security team explained in a blog post.
In the future, Google plans on having only two security icons in Chrome: one for secure sites, and one for non-secure sites.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
