Google yesterday released an update for the Chrome browser that patches seven vulnerabilities and also updates Adobe Flash Player. It also announced that Google Safe Browsing has been extended to Chrome for Android.
The Chrome browser update is the second in less than a week; on Dec 1, Chrome 47 was released and 41 vulnerabilities were patched.
Yesterday’s update was a bit of reprieve after Adobe, Microsoft and Apple bombarded IT shops with close to 200 patches that must be downloaded, tested and deployed.
Of the seven Chrome patches, three qualified for rewards under Google’s external bug bounty:
- [$5000][548273] High CVE-2015-6788: Type confusion in extensions. Credit to anonymous.
- [$2000][557981] High CVE-2015-6789: Use-after-free in Blink. Credit to cloudfuzzer.
- [$500][542054] Medium CVE-2015-6790: Escaping issue in saved pages. Credit to Inti De Ceukelaire
The remaining vulnerabilities were discovered internally and will be catalogued under CVE-2015-6791.
Chrome users on Android, meanwhile, are protected by Safe Browsing by default as of Chrome 46 for the mobile OS. The service protects Chrome users from landing on malicious websites or software downloads from the Web. It checks URLs against a Google-maintained database of malicious sites and activity.
“Social engineering—and phishing in particular—requires different protection; we need to keep an up-to-date list of bad sites on the device to make sure we can warn people before they browse into a trap,” Google said in making the announcement. “Providing this protection on a mobile device is much more difficult than on a desktop system, in no small part because we have to make sure that list doesn’t get stale.”
Google explained that providing mobile devices the same protection desktops are afforded is a challenge given mobile data costs, speed and connectivity disparities worldwide. Google also said it prioritized the need to be sensitive of memory and battery consumption that constant updates would threaten.
“We also make sure that we send information about the riskiest sites first: if we can only get a very short update through, as is often the case on lower-speed networks in emerging economies, the update really has to count. We also worked with Google’s compression team to make the little data that we do send as small as possible,” Google said. “Together with the Android Security team, we made the software on the device extra stingy with memory and processor use, and careful about minimizing network traffic. All of these details matter to us; we must not waste our users’ data plans, or a single moment of their battery life.”
In November, Google expanded the scope of Safe Browsing to include social engineering protection, focusing on web pages that attempt to trick users into downloading malicious or potentially unwanted applications, as well as phony Google log-in pages.
