Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches 29 Vulnerabilities With Release of Chrome 45

Google on Tuesday announced the availability of Chrome 45 for Windows, Mac, and Linux. The latest version of the web browser patches a total of 29 security issues, ten of which were reported by external researchers.

Google on Tuesday announced the availability of Chrome 45 for Windows, Mac, and Linux. The latest version of the web browser patches a total of 29 security issues, ten of which were reported by external researchers.

According to Google, six of the vulnerabilities reported by external researchers have been rated high severity. The list includes a couple of cross-origin bypass flaws in DOM (CVE-2015-1291, CVE-2015-1293), a cross-origin bypass in Service Worker (CVE-2015-1292), use-after-free flaws in Skia (CVE-2015-1294) and Printing (CVE-2015-1295), and a character spoofing bug in the Omnibox address bar (CVE-2015-1296).

Google has paid out $7,500 for each of the cross-origin bypass vulnerabilities, $5,000 for the use-after-free in Skia, $3,000 for the use-after-free in Printing, and $1,000 for the Omnibox spoofing issue.

The medium impact flaws patched with the release of Chrome 45.0.2454.85 are a permission scoping error in WebRequests, a URL validation error in extensions, and information leak and use-after-free bugs in the Blink web browser engine.

The vulnerabilities fixed in Chrome 45 have been reported by anonymous researchers, Mariusz Mlynski, Rob Wu, Alexander Kashev, and experts using the online monikers taro.suzuki.dev, cgvwzq, cloudfuzzer, and zcorpan.

The amount of money paid out by Google so far to those who contributed to making Chrome more secure is $40,500, but not all vulnerabilities have been reviewed by the search giant’s reward panel.

Google’s own security team has also identified many flaws through internal audits, fuzzing and other initiatives.

With the release of Chrome 45, Google has also started killing Flash ads. The company has decided to pause certain plugin content, including many Flash ads, in an effort to improve performance and reduce power consumption. Google is automatically converting most of the Flash ads uploaded to AdWords to HTML5. It has also provided tools that can be used to manually convert Flash ads to HTML5.

While Google’s decision to start killing Flash ads is apparently related to performance, security experts are happy to see the death of Flash due to the many vulnerabilities that have put users at risk over the past period.

Amazon has also stopped accepting Flash ads for Amazon.com starting with September 1. The e-commerce giant’s decision comes in response to the Flash content restrictions implemented by major web browser vendors.

Related Reading: Many High-Impact Flaws Discovered Using Fuzzers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.