Patch/Configuration Management, Vulnerability Management

Google releases Chrome 43, addresses 37 bugs

Chrome 43 was promoted to the stable channel for Windows, Mac and Linux on Tuesday.

The update comes with 37 security fixes, six of which were considered “high” in severity, Google wrote on its update page. This version of Chrome was already released in Beta version.

One sandbox escape bug, CVE-2015-1252, earned an anonymous researcher $16,337. Most of the bugs weren't thoroughly detailed because the team is waiting until a majority of users have updated.

CVE-2015-1265 was also addressed, which pertained to multiple issues found during internal audits, fuzzing and other initiatives.

Other high severity bugs included two cross-origin bypasses, one in DOM and one in Editing, as well as one use-after-free bug in WebAudio, one in SVG and one in Speech.

A reward of $7,500 was the second highest amount paid and went to the anonymous researcher who found the cross-origin bypass in DOM.

In the medium severity category were six bugs, one of which pertained to container-overflow in SVG. Others allowed for URL bar spoofing, a negative-size parameter in Libvpx and an uninitialized value in PDFium.

Only two low severity bugs were patched. The first, CVE-2015-1263, involved an insecure download of the spellcheck dictionary. The other, CVE-2015-1264, allowed for cross-site scripting in bookmarks.

Separately, a Google spokesperson told SCMagazine.com that a bug fix for “Logjam,” a vulnerability in the way Diffie-Hellman key exchange is deployed, will not be patched in a stable version of Chrome for at least a week. A fix in Chrome Canary, however, should be live in a day or two.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.