Google Fixes Dozens of Bugs in Chrome 42

Google has released Chrome 42, a major security upgrade to the browser that includes patches for 45 vulnerabilities.

The latest version of Chrome carries with it fixes for a number of high-severity bugs, including a cross-origin bypass in the HTML parser. That vulnerability earned an anonymous security researcher a reward of $7,500 from Google. In all, the company paid out more than $21,000 in rewards to external researchers who reported bugs fixed in this version.

Among the other serious flaws patched in Chrome 42 is a use-after-free in the IPC component of the browser and a type confusion bug in the V8 engine. There also is a cross-origin bypass in the Blink layout engine, for which Google paid a $4,000 reward to researcher Amitay Dobo.

The list of security vulnerabilities fixed in Chrome 42 for which Google paid rewards:

[$7500][456518] High CVE-2015-1235: Cross-origin-bypass in HTML parser. Credit to anonymous.

[$4000][313939] Medium CVE-2015-1236: Cross-origin-bypass in Blink. Credit to Amitay Dobo.

[$3000][461191] High CVE-2015-1237: Use-after-free in IPC. Credit to Khalil Zhani.

[$2000][445808] High CVE-2015-1238: Out-of-bounds write in Skia. Credit to cloudfuzzer.

[$1000][463599] Medium CVE-2015-1240: Out-of-bounds read in WebGL. Credit to w3bd3vil.

[$1000][418402] Medium CVE-2015-1241: Tap-Jacking. Credit to Phillip Moon and Matt Weston of Sandfield Information Systems.

[$500][460917] High CVE-2015-1242: Type confusion in V8. Credit to fcole@onshape.com.

[$500][455215] Medium CVE-2015-1244: HSTS bypass in WebSockets. Credit to Mike Ruddy.

[$500][444957] Medium CVE-2015-1245: Use-after-free in PDFium. Credit to Khalil Zhani.

[$500][437399] Medium CVE-2015-1246: Out-of-bounds read in Blink. Credit to Atte Kettunen of OUSPG.

[$500][429838] Medium CVE-2015-1247: Scheme issues in OpenSearch. Credit to Jann Horn.

[$500][380663] Medium CVE-2015-1248: SafeBrowsing bypass. Credit to Vittorio Gambaletta (VittGam).

In addition to the bugs reported by external researchers, Google also fixed a number of flaws discovered through its own internal audits and research.

Suggested articles

Using Fuzzing to Mine for Zero-Days

Infosec Insider Derek Manky discusses how new technologies and economic models are facilitating fuzzing in today’s security landscape.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.