Google Chrome 42 Stomps A LOT Of Bugs & Disables Java By Default

Outsmart Malicious Hackers


Ah finally, the end of NPAPI is coming – a relic from the Netscape era the Netscape Plugin API causes a lot of instability in Chrome and security issues. It means Java is now disabled by default along with other NPAPI based plugins in Google Chrome 42.

Chrome will be removing support for NPAPI totally in Chrome 45.

Google Chrome 42 Stomps A LOT Of Bugs & Disables Java By Default

Other than that, they have also squashed 45 security issues and vulnerabilities, including some quite serious ones. And many, a product of their Bug Bounty program.

Google announced on Tuesday the availability of Chrome 42 for Windows, Mac and Linux. The latest release addresses a total of 45 security issues and removes NPAPI support.

Judging by the bug bounties paid out by Google, the most serious vulnerability fixed in Chrome 42 is a cross-origin bypass flaw in the HTML parser (CVE-2015-1235). The discovery of this high severity bug earned an anonymous researcher $7,500.

The list of high severity vulnerabilities also includes a type confusion in V8 (CVE-2015-1242) reported by Cole Forrester of Onshape, a use-after-free in IPC (CVE-2015-1237) reported by Khalil Zhani, and an out-of-bounds write bug in the Skia graphics engine (CVE-2015-1238) identified by cloudfuzzer.

The medium severity security issues reported by external researchers are a cross-origin-bypass in the Blink web browser engine, an out-of-bounds read in WebGL, a use-after-free in PDFium, a tap-jacking flaw, an HSTS bypass in WebSockets, an out-of-bounds read in Blink, scheme issues in OpenSearch, and a SafeBrowsing bypass.

The researchers who contributed to making Chrome more secure have been awarded a total of $21,500, according to a blog post published by Google. However, the total amount could be higher since there are some vulnerability reports that haven’t gone through the search giant’s reward panel.


The actual details of the bugs are not public right now, as the policy for Google is keep access to the details restricted until the majority of users are patched. It will be further restricted if the bug is in a third party library that other projects depend on and haven’t yet fixed.

Feature wise, they’ve also launched their implementation of the Push API for notifications.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” wrote Alex Mineer of the Google Chrome team.

In September 2013, Google announced plans to phase out support for the Netscape Plugin API (NPAPI). The company noted at the time that the API’s 90s-era architecture was causing crashes, security issues and other problems.

In January 2014, Google blocked web page-instantiated NPAPI plugins by default, but whitelisted some of the most popular applications, such as Silverlight, Unity, Google Earth, Google Talk, and Facebook Video. Java was also on the list of most popular plugins using NPAPI, but it had been disabled earlier for security reasons.

Now, NPAPI support has been disabled by default in Chrome and extensions requiring NPAPI plugins will be removed from the Chrome Web Store. Advanced users and enterprises can temporarily re-enable NPAPI until the plugins they use transition to alternative technologies.

There’s more details from Google here: Stable Channel Update

I wish Firefox would keep up..

Source: Security Week

Posted in: Countermeasures

, , , ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


Comments are closed.