Google plugs 'high risk' Chrome browser holes

Google plugs 'high risk' Chrome browser holes

Summary: Security flaws in Google Chrome can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system.

SHARE:

Google has shipped another Chrome browser update to fix multiple security security vulnerabilities.

Some of these security holes can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system, according to this Secunia advisory.Secunia rates this a "highly critical" update.

According to this basic documentation, there are a total of 11 vulnerabilities in this patch batch. Google is withholding details on most of the serious vulnerabilities until the majority of Chrome users are fully patches.

Some of the flaws affect Linux users only.follow Ryan Naraine on twitter

Here's what we know:

  • [48225] [51727] (Medium-risk) Possible autofill / autocomplete profile spamming.
  • [48857] (High-risk) Crash with forms.
  • [50428] (Critical) Browser crash with form autofill. Credit to the Chromium development community.
  • [51680] (High-risk) Possible URL spoofing on page unload.
  • [53002] (Low-risk) Pop-up block bypass.
  • [53985] (Medium-risk) Crash on shutdown with Web Sockets. [Linux only] [54132] (Low-risk) Bad construction of PATH variable.
  • [54500] (High-risk) Possible memory corruption with animated GIF. Credit to Simon Schaak.
  • [Linux only] [54794] (High-risk) Failure to sandbox worker processes on Linux.
  • [56451] (High-risk) Stale elements in an element map.

Google paid $1,000 in bounties to researchers who reported two of the 11 vulnerabilities.

Topics: Linux, CXO, Google, Open Source, Operating Systems, Software, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • Forgive my ignorance

    So, these security vulnerabilities allow malicious people to "bypass certain security restrictions, and potentially compromise a user?s system". Isn't that what ALL Google software does? Forgive my ignorance, but I think that any software that pillages my data is malicious so no Googly crap on my machines.
    itpro_z
    • Exactly!

      @itpro_z

      Google software is spyware. Nobody propogates more spyware than Google with its apps and services. But, Google does not want anybody else to get this valuable information, so they close other security holes as they find them.
      jorjitop
      • RE: Google plugs 'high risk' Chrome browser holes

        @jorjitop

        That is quite an allegation. Where is your proof. I run google chrome with no spyware and an extremely fast browsing experience.
        shanedr
  • RE: Google plugs 'high risk' Chrome browser holes

    Is "multiple security security vulnerabilities" more dangerous than "multiple security vulnerabilities"?
    Cyrorm
    • RE: Google plugs 'high risk' Chrome browser holes

      @Cyrorm - many time more!
      Agnostic_OS
      • RE: Google plugs 'high risk' Chrome browser holes

        @Agnostic_OS yes, because it is squared - it is not a linear growth, but exponential!
        Roque Mocan
  • Did I read this right?

    "Some of the flaws affect Linux users only."
    Michael Alan Goff
    • RE: Google plugs 'high risk' Chrome browser holes

      @goff256
      It appears so, though I'm sure someone will tell us that it only affects you if you don't use AppArmor correctly.
      Cyrorm
      • And he would be wrong

        @Cyrorm

        Those security flaws in Chrome are in no way related to the OS. There's nothing you can do at OS level to mitigate them.
        OS Reload
      • RE: Google plugs 'high risk' Chrome browser holes

        @OS Reload

        # [Linux only] [54794] (High-risk) Failure to sandbox worker processes on Linux.
        [Linux only] [54132] (Low-risk) Bad construction of PATH variable.

        For these two they are related to the OS and there is something I can do at an OS level to mitigate them, not use Linux.

        /Not saying its the best solution as I like Linux and Windows, just putting holes in your argument
        Cyrorm
      • And since my car has no brakes there is something I can do at road level

        @Cyrorm <br><br>there is something I can do at road level to mitigate: Not use the road.<br><br>Or is it not use my car? Or fix it?<br><br>Dam, now you got me confused.<br><br>I'd swear I should fix the damn <del>car</del> <ins>browser</ins> but now you tell me I should stop using <del>roads</del> <ins>Linux</ins> instead.<br><br>Are you sure that's what you mean? It sounds idiotic but if that's okay to you...
        OS Reload
      • RE: Google plugs 'high risk' Chrome browser holes

        @OS Reload

        A. I did say that it may not be the best resolution to the problem and that I was just blowing holes in your argument.

        B. OS and browser is not the same correlation as road and car. I can drive a car on any road(theoretically) but I can not use the same browser(Linux compiled) on any OS. Better correlation would be PC and OS to Road and Car since assuming you had the correct configuration, you could run any OS on any PC(theoretically). Brakes on a car would be the same as an application and to use brakes on a car it was not made for would have the same correlation of using an app on an OS it was not made for.
        Cyrorm
      • The car analogy is good

        @Cyrorm <br><br>In my analogy a browser compiled for Linux is analogous to a car. A browser compiled for Windows may be analogous to a plane and one for Mac analogous to a boat.<br><br>Each of those vehicles runs on a different platform: land (Linux), air (Windows), water (Mac.) Any permutation of these will do as well.<br><br>A BMW is not that different from a Hyundai, comparing them is like comparing Ubuntu to Slackware, they share the same technical basis and when you look beyond the surface they are essentially the same thing only with different levels of polish and perfection.<br><br>But when you compare Linux to windows things change a lot, they are totally different. It's like comparing cars and planes, or boats.
        OS Reload
      • Windows and UNIX are more alike than different.

        @OS Reload: [i]But when you compare Linux to windows things change a lot, they are totally different. It's like comparing cars and planes, or boats.[/i]

        Aside from implementation details they share more in common than not.
        ye
    • That's because there are few developers working on Chrome for Linux

      @goff256 <br><br>Chrome for Windows is getting all the attention, as a result the Linux version has more faults. Development of Chrome for Linux is underpowered.<br><br>Capice?
      OS Reload
  • I wonder, when will Microsoft start doing the same?

    <i>"Google paid $1,000 in bounties to researchers who reported two of the 11 vulnerabilities."</i>

    I wonder, when will Microsoft start doing the same?

    Oh, they can't? Paying bounties to researchers who find vulnerabilities in Microsoft software would drive the company to bankruptcy?

    That's fair, finding vulnerabilities in Microsoft Software is so easy that every man and his dog would be making a nice living off of Microsoft bounties.
    OS Reload
    • Given their 99.9999% market share

      ... MSFT has all the hackers in the world doing it for them already for free so they don't have to bribe a few researchers, who would otherwise not piss onto Google's products even if they are on fire, to do it for them.
      LBiege
      • RE: Google plugs 'high risk' Chrome browser holes

        @LBiege

        Although your argument is solid, your numbers of market share are a tad off...
        Cyrorm
      • His argumenst are as solid as his numbers

        @Cyrorm

        His arguments are as solid as thin air.
        OS Reload
      • Well, then I would stab at a guess that

        @LBiege... MSFT shouldn't mind it when people work hard, and since they are doing it for free, pass that info to the rest of the world for Shitsandgiggles. After all if someone is doing something for your benefit, shouldn't they be compensated for their effort?
        Snooki_smoosh_smoosh