Google Chrome 42 Stomps A LOT Of Bugs & Disables Java By Default


Ah finally, the end of NPAPI is coming – a relic from the Netscape era the Netscape Plugin API causes a lot of instability in Chrome and security issues. It means Java is now disabled by default along with other NPAPI based plugins in Google Chrome 42.

Chrome will be removing support for NPAPI totally in Chrome 45.

Google Chrome 42 Stomps A LOT Of Bugs & Disables Java By Default

Other than that, they have also squashed 45 security issues and vulnerabilities, including some quite serious ones. And many, a product of their Bug Bounty program.

Google announced on Tuesday the availability of Chrome 42 for Windows, Mac and Linux. The latest release addresses a total of 45 security issues and removes NPAPI support.

Judging by the bug bounties paid out by Google, the most serious vulnerability fixed in Chrome 42 is a cross-origin bypass flaw in the HTML parser (CVE-2015-1235). The discovery of this high severity bug earned an anonymous researcher $7,500.

The list of high severity vulnerabilities also includes a type confusion in V8 (CVE-2015-1242) reported by Cole Forrester of Onshape, a use-after-free in IPC (CVE-2015-1237) reported by Khalil Zhani, and an out-of-bounds write bug in the Skia graphics engine (CVE-2015-1238) identified by cloudfuzzer.

The medium severity security issues reported by external researchers are a cross-origin-bypass in the Blink web browser engine, an out-of-bounds read in WebGL, a use-after-free in PDFium, a tap-jacking flaw, an HSTS bypass in WebSockets, an out-of-bounds read in Blink, scheme issues in OpenSearch, and a SafeBrowsing bypass.

The researchers who contributed to making Chrome more secure have been awarded a total of $21,500, according to a blog post published by Google. However, the total amount could be higher since there are some vulnerability reports that haven’t gone through the search giant’s reward panel.


The actual details of the bugs are not public right now, as the policy for Google is keep access to the details restricted until the majority of users are patched. It will be further restricted if the bug is in a third party library that other projects depend on and haven’t yet fixed.

Feature wise, they’ve also launched their implementation of the Push API for notifications.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” wrote Alex Mineer of the Google Chrome team.

In September 2013, Google announced plans to phase out support for the Netscape Plugin API (NPAPI). The company noted at the time that the API’s 90s-era architecture was causing crashes, security issues and other problems.

In January 2014, Google blocked web page-instantiated NPAPI plugins by default, but whitelisted some of the most popular applications, such as Silverlight, Unity, Google Earth, Google Talk, and Facebook Video. Java was also on the list of most popular plugins using NPAPI, but it had been disabled earlier for security reasons.

Now, NPAPI support has been disabled by default in Chrome and extensions requiring NPAPI plugins will be removed from the Chrome Web Store. Advanced users and enterprises can temporarily re-enable NPAPI until the plugins they use transition to alternative technologies.

There’s more details from Google here: Stable Channel Update

I wish Firefox would keep up..

Source: Security Week

Posted in: Countermeasures

, , , ,


Latest Posts:


Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc


Comments are closed.