Tuesday turned out to be a busy day for browser makers.
The three major vendors in the space—Google; Mozilla; and Microsoft—joined arms and announced their intent to stop support for the weakened RC4 encryption algorithm starting early next year.
Google, having already announced it would pause Flash-based ads in Chrome yesterday, pushed through version 45 of the browser, patching 29 security vulnerabilities in the process.
Google also awarded a number of bounties to external researchers for vulnerabilities that were patched in Chrome 45. Three cross-origin bypass vulnerabilities in DOM and ServiceWorker were worth $7,500 each; two of those bounties were collected by researcher Mariusz Mlynski. Mlynski is a well-known bug hunter in all the major browsers, having cashed in at the 2014 Pwn2Own contest with a Mozilla bug worth $50,000.
In all there were 10 bounties paid. From the Chrome blog:
[$7500][516377] High CVE-2015-1291: Cross-origin bypass in DOM. Credit to anonymous.
[$7500][522791] High CVE-2015-1292: Cross-origin bypass in ServiceWorker. Credit to Mariusz Mlynski.
[$7500][524074] High CVE-2015-1293: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.
[$5000][492263] High CVE-2015-1294: Use-after-free in Skia. Credit to cloudfuzzer.
[$3000][502562] High CVE-2015-1295: Use-after-free in Printing. Credit to anonymous.
[$1000][421332] High CVE-2015-1296: Character spoofing in omnibox. Credit to zcorpan.
[$3000][510802] Medium CVE-2015-1297: Permission scoping error in WebRequest. Credit to Alexander Kashev.
[$3000][518827] Medium CVE-2015-1298: URL validation error in extensions. Credit to Rob Wu.
[$2000][416362] Medium CVE-2015-1299: Use-after-free in Blink. Credit to taro.suzuki.dev.
[$1000][511616] Medium CVE-2015-1300: Information leak in Blink. Credit to cgvwzq.
Google last week announced that it would begin on Tuesday pausing Flash ads in Chrome, primarily in the name of performance, but the move was applauded by security experts. Amazon echoed the move, also pausing Flash-based ads on its webpages.
Adobe’s Flash Player is a popular target for hackers given its presence on a number of platforms and the fact that those ads generally run automatically on websites, executing malicious code along with the ad. Google hopes to convince advertisers to convert Flash content to HTML5; Google has begun automatically converting some Flash ads to HTML5.
Google said in June its decision to pause Flash ads is based primarily on the need to increase page-load speed and battery life on mobile devices.
Yesterday, the major browser makers announced that deprecation of RC4 encryption would begin in the January-February 2016 timeframe. Mozilla expects the move to be official with the release of Firefox 44 in late January, while Chrome, Internet Explorer 11 and Microsoft Edge should follow suit by the end of February, Google and Microsoft said.
For more than a decade, researchers have been poking holes in RC4, finding biases in the stream cipher’s not-so random bytes used to encrypt plaintext. An attacker with enough time and processing power and access to enough TLS requests could figure out plaintext.