Tuesday, May 26, 2015

Google Chrome 43 fixes 37 vulns

Google released Chrome 43 that provides patches for 37 security flaws along with numerous improvements across different components of the browser. Google is quite famous for its bug bounty program and this time is no exception as company has given around $40,000 to security researchers. Google awarded the highest amount of $16,337 to an anonymous researcher who has found a CRITICAL vulnerability in the sandbox escape and addressed under CVE-2015-1252. Another anonymous researcher is also given $7,500 for finding high severity cross-origin bypass in DOM covered under CVE-2015-1253. Armin Razmdjou of Rawsec was awarded $3,000 for revealing a cross-origin bypass in Editing covered under CVE-2015-1254. Similarly, Khalil Zhani reported use-after-free issues affecting WebAudio and WebRTC. A reward of $3,000 to Atte Kettunen of OUSPG for a high severity use-after-free flaw in SVG and a medium rated security flaw in PDFium. Besides this, Chrome 43 also come up with a new feature called "Upgrade Insecure Requests" content security policy (CSP) - used to automatically upgrade HTTP requests to HTTPS before they get the response by the browser. <more>

No comments: