madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Google plugs 'high risk' Chrome browser holes

By | October 20, 2010, 1:11pm PDT

Summary: Security flaws in Google Chrome can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user’s system.

Google has shipped another Chrome browser update to fix multiple security security vulnerabilities.

Some of these security holes can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user’s system, according to this Secunia advisory.Secunia rates this a “highly critical” update.

According to this basic documentation, there are a total of 11 vulnerabilities in this patch batch. Google is withholding details on most of the serious vulnerabilities until the majority of Chrome users are fully patches.

Some of the flaws affect Linux users only.follow Ryan Naraine on twitter

Here’s what we know:

  • [48225] [51727] (Medium-risk) Possible autofill / autocomplete profile spamming.
  • [48857] (High-risk) Crash with forms.
  • [50428] (Critical) Browser crash with form autofill. Credit to the Chromium development community.
  • [51680] (High-risk) Possible URL spoofing on page unload.
  • [53002] (Low-risk) Pop-up block bypass.
  • [53985] (Medium-risk) Crash on shutdown with Web Sockets.
    [Linux only] [54132] (Low-risk) Bad construction of PATH variable.
  • [54500] (High-risk) Possible memory corruption with animated GIF. Credit to Simon Schaak.
  • [Linux only] [54794] (High-risk) Failure to sandbox worker processes on Linux.
  • [56451] (High-risk) Stale elements in an element map.
Google paid $1,000 in bounties to researchers who reported two of the 11 vulnerabilities.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Google Inc., Team, Development Community, Linux, Team Management, UNIX, Human Capital Management, Operating Systems, Open Source, Software, Management, Human Resources, Workforce Management, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 30 Talkback(s)

  • Forgive my ignorance
    So, these security vulnerabilities allow malicious people to "bypass certain security restrictions, and potentially compromise a user?s system". Isn't that what ALL Google software does? Forgive my ignorance, but I think that any software that pillages my data is malicious so no Googly crap on my machines.
    ZDNet Gravatar
    itpro_z
    20th Oct 2010
  • Exactly!
    @itpro_z

    Google software is spyware. Nobody propogates more spyware than Google with its apps and services. But, Google does not want anybody else to get this valuable information, so they close other security holes as they find them.
    ZDNet Gravatar
    jorjitop
    21st Oct 2010
  • RE: Google plugs 'high risk' Chrome browser holes
    @jorjitop

    That is quite an allegation. Where is your proof. I run google chrome with no spyware and an extremely fast browsing experience.
    ZDNet Gravatar
    shanedr
    21st Oct 2010
  • RE: Google plugs 'high risk' Chrome browser holes
    Is "multiple security security vulnerabilities" more dangerous than "multiple security vulnerabilities"?
    ZDNet Gravatar
    Cyrorm
    20th Oct 2010
  • RE: Google plugs 'high risk' Chrome browser holes
    @Cyrorm - many time more!
    ZDNet Gravatar
    Agnostic_OS
    20th Oct 2010
  • RE: Google plugs 'high risk' Chrome browser holes
    @Agnostic_OS yes, because it is squared - it is not a linear growth, but exponential!
    ZDNet Gravatar
    Roque Mocan
    20th Oct 2010
  • Did I read this right?
    "Some of the flaws affect Linux users only."
    ZDNet Gravatar
    Michael Alan Goff
    20th Oct 2010
  • RE: Google plugs 'high risk' Chrome browser holes
    @goff256
    It appears so, though I'm sure someone will tell us that it only affects you if you don't use AppArmor correctly.
    ZDNet Gravatar
    Cyrorm
    20th Oct 2010
  • And he would be wrong
    @Cyrorm

    Those security flaws in Chrome are in no way related to the OS. There's nothing you can do at OS level to mitigate them.
    ZDNet Gravatar
    OS Reload
    20th Oct 2010
  • RE: Google plugs 'high risk' Chrome browser holes
    @OS Reload

    # [Linux only] [54794] (High-risk) Failure to sandbox worker processes on Linux.
    [Linux only] [54132] (Low-risk) Bad construction of PATH variable.

    For these two they are related to the OS and there is something I can do at an OS level to mitigate them, not use Linux.

    /Not saying its the best solution as I like Linux and Windows, just putting holes in your argument
    ZDNet Gravatar
    Cyrorm
    20th Oct 2010
  • And since my car has no brakes there is something I can do at road level
    @Cyrorm

    there is something I can do at road level to mitigate: Not use the road.

    Or is it not use my car? Or fix it?

    Dam, now you got me confused.

    I'd swear I should fix the damn car browser but now you tell me I should stop using roads Linux instead.

    Are you sure that's what you mean? It sounds idiotic but if that's okay to you...
    ZDNet Gravatar
    OS Reload
    20th Oct 2010
  • RE: Google plugs 'high risk' Chrome browser holes
    @OS Reload

    A. I did say that it may not be the best resolution to the problem and that I was just blowing holes in your argument.

    B. OS and browser is not the same correlation as road and car. I can drive a car on any road(theoretically) but I can not use the same browser(Linux compiled) on any OS. Better correlation would be PC and OS to Road and Car since assuming you had the correct configuration, you could run any OS on any PC(theoretically). Brakes on a car would be the same as an application and to use brakes on a car it was not made for would have the same correlation of using an app on an OS it was not made for.
    ZDNet Gravatar
    Cyrorm
    20th Oct 2010
  • The car analogy is good
    @Cyrorm

    In my analogy a browser compiled for Linux is analogous to a car. A browser compiled for Windows may be analogous to a plane and one for Mac analogous to a boat.

    Each of those vehicles runs on a different platform: land (Linux), air (Windows), water (Mac.) Any permutation of these will do as well.

    A BMW is not that different from a Hyundai, comparing them is like comparing Ubuntu to Slackware, they share the same technical basis and when you look beyond the surface they are essentially the same thing only with different levels of polish and perfection.

    But when you compare Linux to windows things change a lot, they are totally different. It's like comparing cars and planes, or boats.
    ZDNet Gravatar
    OS Reload
    20th Oct 2010
  • Windows and UNIX are more alike than different.
    @OS Reload: But when you compare Linux to windows things change a lot, they are totally different. It's like comparing cars and planes, or boats.

    Aside from implementation details they share more in common than not.
    ZDNet Gravatar
    ye
    21st Oct 2010
  • That's because there are few developers working on Chrome for Linux
    @goff256

    Chrome for Windows is getting all the attention, as a result the Linux version has more faults. Development of Chrome for Linux is underpowered.

    Capice?
    ZDNet Gravatar
    OS Reload
    20th Oct 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources