Google Chrome 43 fixes 37 vulns

Google released Chrome 43 that provides patches for 37 security flaws along with numerous improvements across different components of the browser. Google is quite famous for its bug bounty program and this time is no exception as company has given around $40,000 to security researchers. Google awarded the highest amount of $16,337 to an anonymous researcher who has found a CRITICAL vulnerability in the sandbox escape and addressed under CVE-2015-1252. Another anonymous researcher is also given $7,500 for finding high severity cross-origin bypass in DOM covered under CVE-2015-1253. Armin Razmdjou of Rawsec was awarded $3,000 for revealing a cross-origin bypass in Editing covered under CVE-2015-1254. Similarly, Khalil Zhani reported use-after-free issues affecting WebAudio and WebRTC. A reward of $3,000 to Atte Kettunen of OUSPG for a high severity use-after-free flaw in SVG and a medium rated security flaw in PDFium. Besides this, Chrome 43 also come up with a new feature called "Upgrade Insecure Requests" content security policy (CSP) - used to automatically upgrade HTTP requests to HTTPS before they get the response by the browser. <more>

FIRST EVER Security update for Apple Watch

Apple rolled out the first security update for its recently launched Apple Watch that uses an iOS-based operating system. Company releases patches for 13 security flaws targeting kernel, Secure Transport, FontParser, the Foundation framework, IOHIDFamily and IOAcceleratorFamily components. According to advisory, security flaw in the FontParser allows execution of arbitrary code via malformed font, while Foundation framework is prone to XML External Entity (XXE) vulnerability due to improper handling of XML files in the NSXMLParser. The OHIDFamily and IOAcceleratorFamily components could allow malicious applications to disclose kernel memory layout. Rest of the issues are related to Kernel. Apple Watch OS 1.0.1 also fixes the FREAK vulnerability that allows an MitM attacker to intercept the encrypted data and force it to use weak encryption to aid further attacks. This security update targets Apple Watch, Apple Watch Sport and Apple Watch Edition. <more>

13 Bulletins for last PATCH Tuesday

Recently Microsoft official statement reveals that from now onwards users will get the security patch as soon as it is available. So this might the last Patch Tuesday and brings 13 security bulletins where three are rated as CRITICAL and remaining ten are rated as IMPORTANT. Critical bulletins include MS15-043 targets Internet Explorer that patches 22 CVEs. Second critical bulletin MS15-044 addresses Font Drivers issue in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight; MS15-045 is the third critical bulletin resolves the Windows Journal issue in Microsoft Windows. All critical bulletins allow remote code execution on the vulnerable system. Rest of the bulletins are related to address elevation of privileges and information disclosure issues. <more>