Google Fixes Dozens of Bugs in Chrome 42

Google Chrome
Author: Dennis Fisher
minute read

Google has released Chrome 42, a major security upgrade to the browser that includes patches for 45 vulnerabilities.

The latest version of Chrome carries with it fixes for a number of high-severity bugs, including a cross-origin bypass in the HTML parser. That vulnerability earned an anonymous security researcher a reward of $7,500 from Google. In all, the company paid out more than $21,000 in rewards to external researchers who reported bugs fixed in this version.

Among the other serious flaws patched in Chrome 42 is a use-after-free in the IPC component of the browser and a type confusion bug in the V8 engine. There also is a cross-origin bypass in the Blink layout engine, for which Google paid a $4,000 reward to researcher Amitay Dobo.

The list of security vulnerabilities fixed in Chrome 42 for which Google paid rewards:

[$7500][456518] High CVE-2015-1235: Cross-origin-bypass in HTML parser. Credit to anonymous.

[$4000][313939] Medium CVE-2015-1236: Cross-origin-bypass in Blink. Credit to Amitay Dobo.

[$3000][461191] High CVE-2015-1237: Use-after-free in IPC. Credit to Khalil Zhani.

[$2000][445808] High CVE-2015-1238: Out-of-bounds write in Skia. Credit to cloudfuzzer.

[$1000][463599] Medium CVE-2015-1240: Out-of-bounds read in WebGL. Credit to w3bd3vil.

[$1000][418402] Medium CVE-2015-1241: Tap-Jacking. Credit to Phillip Moon and Matt Weston of Sandfield Information Systems.

[$500][460917] High CVE-2015-1242: Type confusion in V8. Credit to fcole@onshape.com.

[$500][455215] Medium CVE-2015-1244: HSTS bypass in WebSockets. Credit to Mike Ruddy.

[$500][444957] Medium CVE-2015-1245: Use-after-free in PDFium. Credit to Khalil Zhani.

[$500][437399] Medium CVE-2015-1246: Out-of-bounds read in Blink. Credit to Atte Kettunen of OUSPG.

[$500][429838] Medium CVE-2015-1247: Scheme issues in OpenSearch. Credit to Jann Horn.

[$500][380663] Medium CVE-2015-1248: SafeBrowsing bypass. Credit to Vittorio Gambaletta (VittGam).

In addition to the bugs reported by external researchers, Google also fixed a number of flaws discovered through its own internal audits and research.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.