Choc Factory splatters 51 bugs, Mozilla bumps cert checker
Bad certs now killed faster
Google and Firefox have upgraded their flagship browsers, crushing bugs and cracking down on bad certificates along the way.
The Choc Factory's Chrome 41 swats 51 bugs of which at least 13 are classified as high severity and six considered medium risks.
Google engineer Penny MacNeil thanked security researchers for the effort to identify the bugs.
"We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," MacNeil says. Here's this month's ameliorated messes:
- [$7500] High CVE-2015-1212: Out-of-bounds write in media. Credit to anonymous.
- [$5000] High CVE-2015-1213: Out-of-bounds write in skia filters. Credit to cloudfuzzer.
- [$5000] High CVE-2015-1214: Out-of-bounds write in skia filters. Credit to cloudfuzzer.
- [$5000] High CVE-2015-1215: Out-of-bounds write in skia filters. Credit to cloudfuzzer.
- [$4000] High CVE-2015-1216: Use-after-free in v8 bindings. Credit to anonymous.
- [$3000] High CVE-2015-1217: Type confusion in v8 bindings. Credit to anonymous.
- [$3000] High CVE-2015-1218: Use-after-free in dom. Credit to cloudfuzzer.
- [$3000] High CVE-2015-1219: Integer overflow in webgl. Credit to Chen Zhang (demi6od) of NSFOCUS Security Team.
- [$3000] High CVE-2015-1220: Use-after-free in gif decoder. Credit to Aki Helin of OUSPG.
- [$2500] High CVE-2015-1221: Use-after-free in web databases. Credit to Collin Payne.
- [$2500] High CVE-2015-1222: Use-after-free in service workers. Credit to Collin Payne.
- [$2000] High CVE-2015-1223: Use-after-free in dom. Credit to Maksymillian Motyl.
-  High CVE-2015-1230: Type confusion in v8. Credit to Skylined working with HP’s Zero Day Initiative.
- [$2000] Medium CVE-2015-1224: Out-of-bounds read in vpxdecoder. Credit to Aki Helin of OUSPG.
- [$1000] Medium CVE-2015-1225: Out-of-bounds read in pdfium. Credit to cloudfuzzer.
- [$1000] Medium CVE-2015-1226: Validation issue in debugger. Credit to Rob Wu.
- [$1000] Medium CVE-2015-1227: Uninitialized value in blink. Credit to Christoph Diehl.
- [$1000] Medium CVE-2015-1228: Uninitialized value in rendering. Credit to miaubiz.
- [$500] Medium CVE-2015-1229: Cookie injection via proxies. Credit to iliwoy.
Mozilla's updates Firefox version 37 include a revocation feature to bolster the killing of bad intermediate certificates.
The OneCRL replaces the Online Certificate Status Protocol which is less effective because it relies on third parties to keep updated registries of their valid and revoked certificates. Certificates were often accepted as soft-fails when the status could not be determined due to some technical or connectivity failure.
Mozilla's new list operates in the browser and is populated by issuers who push certificate status instead of the browser having to do the fetching.
This block-list, already used for blacklisting bad plugins and drivers, will now speed up checking times because it avoids the need for Mozilla to push out updates that require browser restarts, Mozilla security boffin Mark Goodwin says.
"OneCRL helps speed up revocation checking by maintaining a centralised list of revoked certificates and pushing it out to browsers. Currently, if a serious incident occurs that requires certificates to be revoked, we release an update to Firefox to address the problem.
"This is slow because it takes some time for users to get the security update and restart their browsers. There’s also cost involved in producing an update and in users downloading it."
Goodwin points to a blog by Google guy Adam Langley who said last year that the old revocation checking did little to improve security.
OneCRL for now covers intermediate certificates to reduce the size of Mozilla's blocklist and will be later sped up by automating the collection of revoked certificates. ®