Google has patched a long list of serious security vulnerabilities in Chrome, including at least 19 highly rated flaws. The company patched a total of 31 vulnerabilities in Chrome 34 and paid out more than $28,000 in rewards to researchers who reported bugs to Google.
Among the security fixes in Chrome 34 are patches for a number of use-after-free vulnerabilities in various components of the browser. Google’s internal security team also discovered quite a few of the vulnerabilities patched in the latest release.
In addition to the security patches, Google introduced a change in Chrome 34 that will allow users to save passwords in the browser even if they have the autocomplete feature disabled.
“As we’ve previously discussed, Chrome will now offer to remember and fill password fields in the presence of autocomplete=off. This gives more power to users in spirit of the priority of constituencies, and it encourages the use of the Chrome password manager so users can have more complex passwords. This change does not affect non-password fields,” Daniel Xie of the Chrome team said.
Here’s the list of public bugs fixed in Chrome 34:
[$5000] High CVE-2014-1716: UXSS in V8. Credit to Anonymous.
[$5000] High CVE-2014-1717: OOB access in V8. Credit to Anonymous.
[$3000] High CVE-2014-1718: Integer overflow in compositor. Credit to Aaron Staple.
[$3000] High CVE-2014-1719: Use-after-free in web workers. Credit to Collin Payne.
[$2000] High CVE-2014-1720: Use-after-free in DOM. Credit to cloudfuzzer.
[$2000] High CVE-2014-1721: Memory corruption in V8. Credit to Christian Holler.
[$2000] High CVE-2014-1722: Use-after-free in rendering. Credit to miaubiz.
[$1500] High CVE-2014-1723: Url confusion with RTL characters. Credit to George McBay.
[$1000] High CVE-2014-1724: Use-after-free in speech. Credit to Atte Kettunen of OUSPG.
[$3000] Medium CVE-2014-1725: OOB read with window property. Credit to Anonymous
[$1000] Medium CVE-2014-1726: Local cross-origin bypass. Credit to Jann Horn.
[$1000] Medium CVE-2014-1727: Use-after-free in forms. Credit to Khalil Zhani.