Chrome 40 was promoted to the stable channel for Windows, Mac and Linux on Wednesday; the update includes 62 security fixes – several of which are for high impact vulnerabilities – and SSL 3.0 appears to have been disabled completely to make users more secure.
Google gave out thousands of dollars in rewards to several external researchers who dug up and reported bugs.
A researcher identified as ‘yangdingning' earned $9,000 for discovering two separate high impact memory corruption vulnerabilities in ICU, according to a Wednesday release. A researcher credited as Collin Payne was rewarded $4,500 for finding a high impact use-after-free bug in IndexedDB.
A use-after-free vulnerability in WebAudio, three separate memory corruption bugs in V8, four separate use-after-free flaws in DOM, two separate use-after-free vulnerabilities in FFmpeg, a use-after-free bug in Speech, a use-after-free bug in Views, a memory corruption flaw in Fonts, and a same-origin-bypass vulnerability in V8 are among the other high impact issues addressed in the update.
Additionally, SSL 3.0 appears to have been disabled completely.
Google had previously planned to disable the protocol completely in Chrome 40 for security purposes, according to an October 2014 post by Adam Langley, senior staff software engineer at Google. Fallback to SSL 3.0 was removed in Chrome 39 in November 2014, Langley confirmed in a tweet.
Disabling support for SSL 3.0 addresses POODLE, a severe vulnerability in SSL 3.0 that was discovered by Google researchers in October and could enable an attacker to intercept plaintext data from secure connections.
In a Thursday email correspondence, Google cited the Langley post – which said “in Chrome 40, we plan on disabling SSLv3 completely, although we are keeping an eye on compatibility issues that may arise” – but did not confirm to SCMagazine.com that SSL 3.0 is now officially disabled.
On Thursday, this reporter tested protocol support for Chrome 39 at this Qualys SSL Labs website prior to updating to Chrome 40 and was warned that the browser was vulnerable to POODLE and SSL 3.0 should be disabled. After updating, the browser was said to no longer be vulnerable.