14 DAY TRIAL // Google rolled out an update for version 36 of the Chrome browser for Windows, Mac and Linux, including a set of security fixes, along with the latest revision of Flash Player.
A total of 12 vulnerabilities have been repaired in this release, as always, some of them being discovered by external security researchers, who were also rewarded for their efforts through Google’s bug bounty program.
For a use-after-free security flaw (CVE-2014-3165) in web sockets, Google paid $2,000 / €1,500 to researcher Collin Payne; additional information about this flaw is not available at the moment.
From another external researcher, the Google team received details about a security glitch that could lead to information disclosure in SPDY. Identified as CVE-2014-3166, the discovery is credited to Antoine Delignat-Lavaud, second year PhD student in team Prosecco at Inria Paris.
In order to prevent the information leakage, Chrome developers took the decision to disable SPDY and QUIC session pooling in the latest revision of the web browser.
SPDY is a network protocol designed to increase page load speed and security, by manipulating HTTP traffic.
Disabling it translates to the user into slower page loads on websites using this protocol, but the latency is not as significant as to affect browsing at all.
Additional input came from the internal security team, who discovered an undisclosed number of glitches through internal audits or code fuzzing operations.
Build 36.0.1985.143 of the web browser also updates the Adobe Flash Player plug-in to the recently released version 14.0.0.177.
Adobe patched seven critical vulnerabilities, most of them referring to memory leaks that could be taken advantage of for bypassing memory protection mechanisms (address randomization).