JUST IN: As end of Q2 nears, IBM employees fret 'resource actions'

Topic: Windows

Discover

Google plugs 'high risk' Chrome security holes

Summary: Google has shipped a new version of its Chrome browser to fix three high-risk security holes that expose web surfers to malicious hacker attacks.

Ryan Naraine

By for Zero Day |

Google has shipped a new version of its Chrome browser to fix three high-risk security holes that expose web surfers to malicious hacker attacks.

In addition to the security patches the Google Chrome 5.0.375.125 update also  includes workarounds for two critical vulnerabilities where the root cause lies in external components -- a Windows kernel bug and a glibc vulnerability.

The patch is available for Linux, Mac, Windows and Chrome Frame.Technical details on the vulnerabilities are being withheld until the update is pushed out to end users.  Here's what we know right now:

  • [42736] Medium Memory contents disclosure in layout code. Credit to Michail Nikolaev.
  • [43813] High Issue with large canvases. Credit to sp3x of SecurityReason.com.
  • [47866] High Memory corruption in rendering code. Credit to Jose A. Vazquez.
  • [48284] High Memory corruption in SVG handling. Credit to Aki Helin of OUSPG.
  • [48597] Low Avoid hostname truncation and incorrect eliding. Credit to Google Chrome Security Team (Inferno).

Google paid a bounty of $4674 for this batch of security vulnerabilities.

Topics: Windows, Browser, Google, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion

  • Even Google

    isn't impervious.

    -1 for the cloud.
    The one and only, Cylon Centurion
    Reply Vote

    • RE: Google plugs 'high risk' Chrome security holes

      @NStalnecker What do vulnerabilities in a browser have to do with Google's cloud efforts.

      "Chrome -1" would have been far more appropriate.
      betelgeuse68
      Reply Vote

      • Google it seems

        @betelgeuse68

        Is trying to push everyone to the cloud. That's where the company wants to go. For someone whose goal is to <s>con</s> persuade us to put all of our eggs into one basket, and even just dumped Windows because of security vulnerabilities, this doesn't bode well.
        The one and only, Cylon Centurion
        Reply Vote

    • RE: Google plugs 'high risk' Chrome security holes

      @NStalnecker FU. Google is not the cloud. I am sure they are happier now that you have dinged the cloud with Google's brand. My Pogoplug is the cloud, dammit.
      prof.ebral
      Reply Vote

  • What?

    I was told by certain trolls (that shall remain nameless) that chrome is so secure because it sandboxes itself from the OS so that malicious attacks cannot get in. You mean now that the browser is gaining popularity people trying to exploit it. That's unheard of.
    bobiroc
    Reply Vote

    • RE: Google plugs 'high risk' Chrome security holes

      @bobiroc No software system is impervious. There's only degrees of exposure, nothing more.

      One of the things Google Chrome did right was stripping the executable instances that render each tab of administrative rights which is simple applying the principle of least privilege:

      http://www.zdnet.com/blog/security/report-64-of-all-microsoft-vulnerabilities-for-2009-mitigated-by-least-privilege-accounts/5964

      The only software system that's 100% secure is one that doesn't exist.

      Most forum posts on this blog are utter nonsense.

      -M
      betelgeuse68
      Reply Vote

      • RE: Google plugs 'high risk' Chrome security holes

        @betelgeuse68

        That is the point I was trying to make if you can forgive my sarcasm. No matter what platform you use, what software you choose if it is software there is bound to be a hole and if someone wants to take the time they will expose it and use it for malicious gain.
        bobiroc
        Reply Vote

    • RE: Google plugs 'high risk' Chrome security holes

      @bobiroc I don't care what they say about their sandbox ... it does things it is not supposed too. Last time Google was fixing bugs most of them revolved around their sandboxed processes attempting to break the sandbox.
      prof.ebral
      Reply Vote

    • RE: Google plugs 'high risk' Chrome security holes

      @bobiroc

      Are you talking about the nameless trolls who bragged Chrome was so secure it wasn't hacked at 'Pwn2OWn'?
      How does it bode "extremely" well for Chrome's security system when NO ONE TRIED HACKING IT? The absence of trying is not results.
      sirpaul1
      Reply Vote

      • RE: Google plugs 'high risk' Chrome security holes

        @sirpaul1

        Yes that describes some of them. Some people think the definition of security is the fact no one cares to attack the OS/Software they choose. They also refuse to admit as an OS/Software gains popularity it becomes more appealing to hackers and then security flaws are found and exploited. They said the same thing about Firefox and MacOS and just about everything else and despite the fact that as those other softwares move up the marketshare/usage ladder they get attacked more they still want to believe that Microsoft is the only one that has security risks and everything else is secure by design.
        bobiroc
        Reply Vote

    • RE: Google plugs 'high risk' Chrome security holes

      @bobiroc, I had to disable the sandbox just to get Chrome to work on Windows XP.
      sorgfelt
      Reply Vote

  • 5 down, dozens to go. jump right on this LA county

    its going to be so entertaining to see your dirty laundry published on the net :-)
    Johnny Vegas
    Reply Vote

  • RE: Google plugs 'high risk' Chrome security holes

    TIP: Internet Explorer 8 (IE8) remains the most secure web browser:

    http://www.timacheson.com/Blog/2009/aug/ie8_is_the_most_secure_web_browser
    Tim Acheson
    Reply Vote

    • RE: Google plugs 'high risk' Chrome security holes

      @Tim Acheson that's a 2009 post.
      tehpea
      Reply Vote

      • RE: Google plugs 'high risk' Chrome security holes

        Gimmie some 'mo of that ActiveX
        LTV10
        Reply Vote

  • ?Internet Explorer 8 (IE8) remains the most secure web browser?

    Sure it is - if one's computer is not connected to the web....

    Henri
    mhenriday
    Reply Vote

  • The good, the bad & the Chrome

    Chrome Good: Fast; restores after its own crashes; many great add-ons, extensions; works great with GMail and Google Calendar; it's not IE and it's imho superior to Firefox (but your mileage nay vary).
    Chrome bad: Many crashes; Terrible customer support from the big G itself: users left to solve problems through forums; big G defends its 'right' to take money from any advertiser, no matter how despicable.
    But most of all, our growing lack of trust with the big G
    regarding privacy, security and supremacy.
    rroberto18
    Reply Vote

    • RE: Google plugs 'high risk' Chrome security holes

      @rroberto18 If you are concerned about privacy use Chromium instead of Chrome.

      Chrome is built upon Chromium.
      ssj6akshat
      Reply Vote

  • RE: Google plugs 'high risk' Chrome security holes

    We shouldn't be surprised that the hackers have come after Chrome. Did we actually expect otherwise? They've been working on finding exploits since inception. Once the software is released, they go for broke tearing at it until a hole can be found. From beta on up.
    mcswan454
    Reply Vote

  • Chrome problem connected to firefox

    I am using firefox and sometimes my browser freeze but the interesting part of the problem is the scripts are mostly from Google Chrome based on the error description. Is it really true that Chrome problem is affecting my firefox browser
    final_frontier2002@...
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close