Google Fixes Dozens of Bugs in Chrome 42

Google Chrome

Google has released Chrome 42, a major security upgrade to the browser that includes patches for 45 vulnerabilities.

The latest version of Chrome carries with it fixes for a number of high-severity bugs, including a cross-origin bypass in the HTML parser. That vulnerability earned an anonymous security researcher a reward of $7,500 from Google. In all, the company paid out more than $21,000 in rewards to external researchers who reported bugs fixed in this version.

Among the other serious flaws patched in Chrome 42 is a use-after-free in the IPC component of the browser and a type confusion bug in the V8 engine. There also is a cross-origin bypass in the Blink layout engine, for which Google paid a $4,000 reward to researcher Amitay Dobo.

The list of security vulnerabilities fixed in Chrome 42 for which Google paid rewards:

[$7500][456518] High CVE-2015-1235: Cross-origin-bypass in HTML parser. Credit to anonymous.

[$4000][313939] Medium CVE-2015-1236: Cross-origin-bypass in Blink. Credit to Amitay Dobo.

[$3000][461191] High CVE-2015-1237: Use-after-free in IPC. Credit to Khalil Zhani.

[$2000][445808] High CVE-2015-1238: Out-of-bounds write in Skia. Credit to cloudfuzzer.

[$1000][463599] Medium CVE-2015-1240: Out-of-bounds read in WebGL. Credit to w3bd3vil.

[$1000][418402] Medium CVE-2015-1241: Tap-Jacking. Credit to Phillip Moon and Matt Weston of Sandfield Information Systems.

[$500][460917] High CVE-2015-1242: Type confusion in V8. Credit to fcole@onshape.com.

[$500][455215] Medium CVE-2015-1244: HSTS bypass in WebSockets. Credit to Mike Ruddy.

[$500][444957] Medium CVE-2015-1245: Use-after-free in PDFium. Credit to Khalil Zhani.

[$500][437399] Medium CVE-2015-1246: Out-of-bounds read in Blink. Credit to Atte Kettunen of OUSPG.

[$500][429838] Medium CVE-2015-1247: Scheme issues in OpenSearch. Credit to Jann Horn.

[$500][380663] Medium CVE-2015-1248: SafeBrowsing bypass. Credit to Vittorio Gambaletta (VittGam).

In addition to the bugs reported by external researchers, Google also fixed a number of flaws discovered through its own internal audits and research.

Suggested articles