Google Fixes Handful of Bugs in Chrome

Type threatpost
Reporter Dennis Fisher
Modified 2015-06-22T22:26:28


Google has fixed several vulnerabilities in Chrome, including a pair of cross-origin bypasses and a high-risk scheme validation error.

The new release updates Chrome to version 43.0.2357.130 and there are patches for other security flaws as well, though Google has only published information on four of them. One of the vulnerabilities, the scheme-validation error, earned the researcher who reported it to Google a $5,000 bug bounty.

The published list of patched vulnerabilities in Chrome include:

[$5000][464922] High CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous.

[TBD][494640] High CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.

[TBD][497507] Medium CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous.

[TBD][461481] Medium CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to Mike Ruddy.

Google maintains a release schedule for Chrome that enables the company to patch vulnerabilities as needed. Some other companies, most notably Microsoft, patch their browsers on a regular basis, often releasing new versions that include a dozen or more patches. Google may release two or three new versions in a given month, or none at all, depending upon what’s needed.

Users can upgrade to the latest version of Chrome by going to the About Google Chrome option in the Setting menu.