Google plugs 'high risk' Chrome security holes

Google plugs 'high risk' Chrome security holes

Summary: Google has shipped a new version of its Chrome browser to fix three high-risk security holes that expose web surfers to malicious hacker attacks.

SHARE:

Google has shipped a new version of its Chrome browser to fix three high-risk security holes that expose web surfers to malicious hacker attacks.

In addition to the security patches the Google Chrome 5.0.375.125 update also  includes workarounds for two critical vulnerabilities where the root cause lies in external components -- a Windows kernel bug and a glibc vulnerability.

The patch is available for Linux, Mac, Windows and Chrome Frame.Technical details on the vulnerabilities are being withheld until the update is pushed out to end users.  Here's what we know right now:

  • [42736] Medium Memory contents disclosure in layout code. Credit to Michail Nikolaev.
  • [43813] High Issue with large canvases. Credit to sp3x of SecurityReason.com.
  • [47866] High Memory corruption in rendering code. Credit to Jose A. Vazquez.
  • [48284] High Memory corruption in SVG handling. Credit to Aki Helin of OUSPG.
  • [48597] Low Avoid hostname truncation and incorrect eliding. Credit to Google Chrome Security Team (Inferno).

Google paid a bounty of $4674 for this batch of security vulnerabilities.

Topics: Windows, Browser, Google, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Even Google

    isn't impervious.

    -1 for the cloud.
    The one and only, Cylon Centurion
    • RE: Google plugs 'high risk' Chrome security holes

      @NStalnecker What do vulnerabilities in a browser have to do with Google's cloud efforts.

      "Chrome -1" would have been far more appropriate.
      betelgeuse68
      • Google it seems

        @betelgeuse68

        Is trying to push everyone to the cloud. That's where the company wants to go. For someone whose goal is to <s>con</s> persuade us to put all of our eggs into one basket, and even just dumped Windows because of security vulnerabilities, this doesn't bode well.
        The one and only, Cylon Centurion
    • RE: Google plugs 'high risk' Chrome security holes

      @NStalnecker FU. Google is not the cloud. I am sure they are happier now that you have dinged the cloud with Google's brand. My Pogoplug is the cloud, dammit.
      prof.ebral
  • What?

    I was told by certain trolls (that shall remain nameless) that chrome is so secure because it sandboxes itself from the OS so that malicious attacks cannot get in. You mean now that the browser is gaining popularity people trying to exploit it. That's unheard of.
    bobiroc
    • RE: Google plugs 'high risk' Chrome security holes

      @bobiroc No software system is impervious. There's only degrees of exposure, nothing more.

      One of the things Google Chrome did right was stripping the executable instances that render each tab of administrative rights which is simple applying the principle of least privilege:

      http://www.zdnet.com/blog/security/report-64-of-all-microsoft-vulnerabilities-for-2009-mitigated-by-least-privilege-accounts/5964

      The only software system that's 100% secure is one that doesn't exist.

      Most forum posts on this blog are utter nonsense.

      -M
      betelgeuse68
      • RE: Google plugs 'high risk' Chrome security holes

        @betelgeuse68

        That is the point I was trying to make if you can forgive my sarcasm. No matter what platform you use, what software you choose if it is software there is bound to be a hole and if someone wants to take the time they will expose it and use it for malicious gain.
        bobiroc
    • RE: Google plugs 'high risk' Chrome security holes

      @bobiroc I don't care what they say about their sandbox ... it does things it is not supposed too. Last time Google was fixing bugs most of them revolved around their sandboxed processes attempting to break the sandbox.
      prof.ebral
    • RE: Google plugs 'high risk' Chrome security holes

      @bobiroc

      Are you talking about the nameless trolls who bragged Chrome was so secure it wasn't hacked at 'Pwn2OWn'?
      How does it bode "extremely" well for Chrome's security system when NO ONE TRIED HACKING IT? The absence of trying is not results.
      sirpaul1
      • RE: Google plugs 'high risk' Chrome security holes

        @sirpaul1

        Yes that describes some of them. Some people think the definition of security is the fact no one cares to attack the OS/Software they choose. They also refuse to admit as an OS/Software gains popularity it becomes more appealing to hackers and then security flaws are found and exploited. They said the same thing about Firefox and MacOS and just about everything else and despite the fact that as those other softwares move up the marketshare/usage ladder they get attacked more they still want to believe that Microsoft is the only one that has security risks and everything else is secure by design.
        bobiroc
    • RE: Google plugs 'high risk' Chrome security holes

      @bobiroc, I had to disable the sandbox just to get Chrome to work on Windows XP.
      sorgfelt
  • 5 down, dozens to go. jump right on this LA county

    its going to be so entertaining to see your dirty laundry published on the net :-)
    Johnny Vegas
  • RE: Google plugs 'high risk' Chrome security holes

    TIP: Internet Explorer 8 (IE8) remains the most secure web browser:

    http://www.timacheson.com/Blog/2009/aug/ie8_is_the_most_secure_web_browser
    Tim Acheson
    • RE: Google plugs 'high risk' Chrome security holes

      @Tim Acheson that's a 2009 post.
      tehpea
      • RE: Google plugs 'high risk' Chrome security holes

        Gimmie some 'mo of that ActiveX
        LTV10
  • ?Internet Explorer 8 (IE8) remains the most secure web browser?

    Sure it is - if one's computer is not connected to the web....

    Henri
    mhenriday
  • The good, the bad & the Chrome

    Chrome Good: Fast; restores after its own crashes; many great add-ons, extensions; works great with GMail and Google Calendar; it's not IE and it's imho superior to Firefox (but your mileage nay vary).
    Chrome bad: Many crashes; Terrible customer support from the big G itself: users left to solve problems through forums; big G defends its 'right' to take money from any advertiser, no matter how despicable.
    But most of all, our growing lack of trust with the big G
    regarding privacy, security and supremacy.
    rroberto18
    • RE: Google plugs 'high risk' Chrome security holes

      @rroberto18 If you are concerned about privacy use Chromium instead of Chrome.

      Chrome is built upon Chromium.
      ssj6akshat
  • RE: Google plugs 'high risk' Chrome security holes

    We shouldn't be surprised that the hackers have come after Chrome. Did we actually expect otherwise? They've been working on finding exploits since inception. Once the software is released, they go for broke tearing at it until a hole can be found. From beta on up.
    mcswan454
  • Chrome problem connected to firefox

    I am using firefox and sometimes my browser freeze but the interesting part of the problem is the scripts are mostly from Google Chrome based on the error description. Is it really true that Chrome problem is affecting my firefox browser
    final_frontier2002