Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Google Patches 37 Security Bugs With Release of Chrome 43

Google announced on Tuesday that Chrome 43 is available for download. The latest release contains numerous improvements and fixes, including patches for a total of 37 security bugs.

Google announced on Tuesday that Chrome 43 is available for download. The latest release contains numerous improvements and fixes, including patches for a total of 37 security bugs.

The most serious vulnerability fixed in Chrome 43 is a sandbox escape (CVE-2015-1252) reported by an anonymous researcher. Google awarded the expert $16,337 for responsibly disclosing this high severity flaw.

A high severity cross-origin bypass in DOM (CVE-2015-1253), which Google rewarded with $7,500, was also credited to an anonymous researcher.

Armin Razmdjou of Rawsec was awarded $3,000 for reporting a cross-origin bypass in Editing (CVE-2015-1254). Khalil Zhani got the same amount for a use-after-free vulnerability affecting WebAudio (CVE-2015-1255) and an additional $1,000 for a medium impact use-after-free in WebRTC.

Atte Kettunen of OUSPG, who has often found security holes in web browsers, was awarded a total of $3,000 for a high severity use-after-free flaw in SVG (CVE-2015-1256) and a medium-severity issue in PDFium (CVE-2015-1259). The researcher known as “SkyLined” reported a serious use-after-free flaw in Speech through HP’s Zero Day Initiative, but his reward hasn’t been determined yet.

The other medium and low severity issues fixed by Google with the release of Chrome 43 have been described as a container overflow in SVG, a negative-size parameter issue in Libvpx, a URL bar spoofing bug, an uninitialized value in Blink, insecure download of spellcheck dictionary, and a cross-site scripting (XSS) vulnerability in bookmarks.

The list of people credited for reporting these security bugs includes miaubiz, cloudfuzzer, Juho Nurminen, Mike Ruddy, and K0r3Ph1L. Some issues have also been identified by Google’s own security team.

Advertisement. Scroll to continue reading.

The rewards paid out by Google for all the vulnerabilities fixed in Chrome 43 so far total more than $38,000, but it’s worth noting that not all reports have gone through the reward panel yet.

Chrome 43 also introduces the “Upgrade Insecure Requests” content security policy (CSP). The CSP can be used to automatically upgrade HTTP requests to HTTPS before they are fetched by the browser.

When a page containing references to HTTP URLs is accessed through HTTPS, mixed-content warnings might be displayed. The CSP helps avoid such warnings.

“We encourage authors to transition their sites and applications away from insecure transport, and onto encrypted and authenticated connections, but mixed content checking causes headaches. This feature allows authors to ask the user agent to transparently upgrade HTTP resources to HTTPS to ease the migration burden,” explained Chromium developers.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.