Modernizing Authentication — What It Takes to Transform Secure Access
Science fiction fans all know the significance of the number 42, and so does Google. Google yesterday released Chrome 42 to the stable channel for users on Windows, OS X and Linux, giving browser users more than four dozen new security fixes.
With Google's well-known sense of whimsy, its release notes for Chrome 42 point out that the answer to life, the universe and everything are among the fixes and improvements. This is a tip of the hat to Douglas Adams' classic Hitchhiker's Guide to the Galaxy book series, in which the number 42 is the answer to the question of the meaning of life.
On a more serious note, some of the 45 security fixes in Chrome 42 (technically Chrome 42.0.2311.90) address 12 vulnerabilities that were reported by third-party security researchers, four of which Google identified as high impact.
Researchers will receive a total of $21,500 in awards for their efforts. The largest single award is a $7,500 bounty given to a researcher identified only as "anonymous," for a cross-origin bypass issue in the HTML parser, identified as CVE-2015-1235.
In addition to these high-impact flaws, Google classified a number of noteworthy vulnerabilities as having medium impact. Among them is CVE-2015-1241, which earned Phillip Moon and Matt Weston of Sandfield Information Systems a $1,000 award. The flaw is a "tapjacking" vulnerability, which is a form of clickjacking. In a click- or tapjacking attack, the user clicks or taps on an object, which triggers an unintended and unauthorized action.
A $500 award is being paid to researcher Mike Ruddy for the discovery of an HSTS (HTP Strict Transport Security) bypass flaw identified as CVE-2015-1244. HSTS is important as it forces a site to load over HTTPS, which is encrypted and secured. A bypass means an attacker could get around the intended security of a website.
Additionally, eSecurityPlanet has learned that a flaw not being called out by Google has reportedly been fixed in Chrome 42. The Chrome 41 browser was exploited during the HP-sponsored Pwn2own event last month. Sources informed eSecurityPlanet that the Chrome Pwn2own issue was fixed on the same day it was reported, with the fix first pushed into the beta for Chrome 42.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.