14 DAY TRIAL // Google rolled out a new release for the stable version of the Chrome browser, 43.0.2357.130, delivering fixes for high severity security flaws.
The list of bugs has been partially disclosed, with only four issues being revealed by the developer, two of them representing a high risk.
High severity bugs fixed
A researcher who chose to remain anonymous reported to Google a scheme validation error in WebUI, now tracked as CVE-2015-1266, and received a reward of $5,000 / €4,440. This is the only vulnerability for which a bug bounty has been established.
Another high severity problem was reported by Mariusz Mlynski, a security researcher from Poland who managed at this year’s Pwn2Own hacking competition to exploit a cross-origin vulnerability in Mozilla Firefox and achieve privilege escalation within the browser in less than a second.
The bug in Chrome consists in a cross-origin bypass in the browser's layout engine, Blink, and has been assigned the CVE identifier CVE-2015-1268.
Bug details kept under wraps until most users update
The other two issues repaired in the latest Chrome are marked with medium severity and refer to another cross-origin bypass (credited to an anonymous reporter) and a normalization error in HSTS/HPKP preload list, reported by researcher Mike Ruddy.
Chrome 43.0.2357.130 is currently available for Windows, Mac and Linux and it addresses a larger number of vulnerabilities. Details about the problems are not publicly revealed until most users have applied the update.
Google generally announces security fixes when pushing a major version of its browser, but patches can be delivered with minor releases, if needed.
When Chrome 43 was launched, the company poured $40,000 / €35,500 into rewards for external security researchers, the highest being of $16,337 / €14,500 for a sandbox escape (CVE-2015-1253), reported by someone who decided to remain anonymous.