Yesterday Google released the 39 version of their Chrome browser, fixing 42 vulnerabilities known altogether removing support for the notorious SSL 3.0 certificate which was subject to a POODLE malware attack last month.
The attack was discovered by Google researchers in October, shortly after that the company announced that they would be upgrading their browser, so it does not allow servers to fall back to the older SSL 3.0 certificate. What the hackers were using was forcing servers to fall back to this version instead of using the newer SSL/TLS ones, decrypting traffic by sending numerous requests to it after. Google are planning to completely remove the older certificate in the following months.
‘A little further down the line, perhaps in about three months, we hope to disable SSLv3 completely. The changes that I’ve just landed in Chrome only disable fallback to SSLv3 – a server that correctly negotiates SSLv3 can still use it. Disabling SSLv3 completely will break even more than just disabling the fallback but SSLv3 is now completely broken with CBC-mode ciphers and the only other option is RC4, which is hardly that attractive. Any servers depending on SSLv3 are thus on notice that they need to address that now.’, wrote Google researcher last month.
Amongst some of the patches Google are fixing are several high-risk vulnerabilities, implementing buffer and integer overflows, use-after-free patches, etc. all of which coming after researchers noticing them. The company paid prizes for a total of $ 25,000 of the ones raising these flags, paying $16,500 total more to the ones who found errors while developing.
Here’s the whole list of researchers, their prizes and the problem they raised a flag on:
→ Prize $500][Patch 389734] High CVE-2014-7899: Address bar spoofing. Credit to Eli Grey.
[Prize $1500][Patch 406868] High CVE-2014-7900: Use-after-free in pdfium. Credit to Atte Kettunen from OUSPG.
[Prize $1000][Patch 413375] High CVE-2014-7901: Integer overflow in pdfium. Credit to cloudfuzzer.
[Prize $1000][Patch 414504] High CVE-2014-7902: Use-after-free in pdfium. Credit to cloudfuzzer.
[Prize $3000][Patch 414525] High CVE-2014-7903: Buffer overflow in pdfium. Credit to cloudfuzzer.