Google patched its Chrome browser this week, fixing 12 vulnerabilities, including both a serious information disclosure bug and a use-after-free vulnerability that could let users obtain potentially sensitive information and execute arbitrary code.
French security researcher Antoine Delignat-Lavaud discovered the information disclosure problem (CVE-2014-3166) in SPDY, an open networking protocol that transports web content. According to the National Vulnerability Database, the Public Key Pinning (PKP) implementation in the browser on Windows, OS X, Linux and Android fails to consider the SPDY handler. This could allow attackers to obtain sensitive information by leveraging the use of multiple domain names.