Google plugs 'high-risk' holes in Chrome browser

Google plugs 'high-risk' holes in Chrome browser

Summary: Google has shipped a high-priority Chrome browser patch with fixes for three security vulnerabilities that expose users to cross-site scripting and data theft attacks.Google Chrome's beta and stable channels have been updated to version 1.

SHARE:

Google has shipped a high-priority Chrome browser patch with fixes for three security vulnerabilities that expose users to cross-site scripting and data theft attacks.

Google Chrome's beta and stable channels have been updated to version 1.0.154.46 to mitigate an issue with the Adobe Reader plug-in (two separate vulnerabilities) and to fix a bug in the V8 JavaScript engine could allow bypassing same-origin checks.

The skinny:

  • CVE-2007-0048 and CVE-2007-0045: Workaround for Adobe Reader Plugin Open Parameters Cross-Site Scripting Vulnerability

    • Google Chrome now refuses requests for javascript: URLs in Netscape Plugin API (NPAPI) requests from the Adobe Reader plugin. Adobe is aware of this issue and has helped us develop this mitigation while they work on a fix for all users.
    • Severity: Moderate. This could allow a PDF document to run scripts on arbitrary sites.

  • CVE-2009-0276: Javascript Same-Origin Bypass

    • A bug in the V8 JavaScript engine could allow bypassing same-origin checks in certain situations.
    • Severity: High. A malicious script in a page could read the full URL of another frame, and possibly other attributes or data from another frame in a different origin. This could disclose sensitive information from one website to a third party.

The patch (see release notes) also fixes problems with Yahoo Mail and Windows Live Hotmail.

ALSO READ:

Topics: Google, Browser, Enterprise Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • Big Brother (spy-eye) is monitoring you.....

    With the Google desktop search, google tool bar, google toilet paper you are covered from head to toe monitoring!

    Plus, ALL of the private data is being scanned and sheep follow it because it is so cool.

    I use a scrapper that does not follow me for life...

    http://www.scroogle.org/cgi-bin/scraper.htm

    Christian_<><
    • ROFL good one

      Actually thought you were trying to be serious for a minute there. Haha.
      AzuMao
  • GOOG is in cahoots with Big Brother...

    BB gets the control and power...GOOG gets $$$:

    [quote]
    The group said, "Reportedly Google is pushing for the provisions so it may sell patient medical information to its advertising clients on the new 'Google Health' database."
    [end quote]

    http://www.worldnetdaily.com/index.php?fa=PAGE.view&pageId=87322
    Techboy_z
    • Don't think your are safe WITHOUT electronic recordkeeping.

      A neighbor of ours is a lawyer and would place
      his (un-shredded documents) to the curb for
      recycling in printer paper boxes each week
      (usually 2 boxes)

      One extremely windy day, the papers blew out of
      the box like gangbusters and scattered all over
      the neighborhood.

      I happened to be taking out the trash and
      noticed a paper in our side yard and examined
      it.

      It had every conceivable bit of personal and
      health information about a lady, including her
      age, address, prescription drug history, blood
      test results, social security number, the fact
      she had Cirrhosis of the Liver, etc.

      I collected the papers and gave them back to the
      lawyer and recommended that he get a cross-cut
      shredder.

      Google uses Linux and hasn't let me down in 5
      years with 23,000 emails. If they use the
      information, it's not specific to a particular
      user and provides generic data gathering for
      many purposes.

      The point people miss about Google is that
      everyone else does data gathering but does not
      spell out what they do like Google does. Better
      to give your data to Google than Microsoft or
      Yahoo.
      Joe.Smetona
      • Very well said.

        I remember a TV show where a man had hacked his ex-wife's medical account to find out where the shelter she was staying at was and went there to kill her. That show is mostly inspired by true stories; it certainly got me thinking.
        914four
      • Horseshit. You're saying it's better to be robbed by thief A than thief B..

        because thief A is a Google shill and a Linux zealot.
        transposeIT
        • See my post below and...

          How much do you spend a year on virus and malware protection? How much time rebooting and cleaning and dealing with virus problems?

          No thanks, I've had over 20 years of MS garbage.

          Have you tried Linux? Like most Windows posters here, I doubt it. How would you like it if I wrote negative posts about Windows if I never used it?

          Between the Conflicker worm infections (now 8 million) and massive botnet infections, do you really own your Windows computer?
          Joe.Smetona
          • and think its not a bug its a feature...

            Do you think that Linux has "special anticorps" to resist infections? Aren't both OS an existance as x86 instructions sequences? Don't you see that the value(security) of a program depends on how smart was the coder and how better he predicts "every" possible code threat.
            So why do you think that your Linux product are better than others. Were Linux developers super humans ?
            vbchr
      • You are wrong

        Profiling user with the collected user data is helpful when giving targeted ads. If you notice neither hotmail or yahoo gives targeted ads which require scanning your message body. Microsoft and Yahoo specifically decided to not intrude in users privacy by reading their mail contents just to provide ads. Google very happily does that. So dont tell us that whatever Google does is for the benefit of mankind. It is for the benefit of the share holders like any other company.

        Microsoft is under the DOJ Consent decree which explicitly states that people who have access to code (hotmail developers) should not have access to data (user mail data) and vice versa. Since they cannot see the data they cannot use the data. They are only allowed to collect anonymous data which cannot lead back to the user. So please stop saying that you are better off giving your details to Google than to MS or Yahoo.

        Another case, the EU has been saying that collecting IP addresses from search queries can lead back to the users so Yahoo and Microsoft both agreed to not collect that data while Google has been fighting against the idea because without IP they cannot profile and thus not profit from targeted ads.

        The point is MS has its faults so does Google so treat both the companies on equal footing. Praise when credit is due and similarly point of mistake when they are at fault
        TruthBeTold
        • I think you are over simplifying.

          First, no one protects browsing history like Google. Microsoft and Yahoo recently both caved in and released information to the US Government. Google faced legal action and still did not release the information.

          If you use Gmail, you get virtually no spam in your inbox. Their spam control system is second to none. (Random) Users on the front line identify spam and an algorithm is used to verify that is in fact spam. The result is millions of gmail users aren't faced with spam in their inbox. It's absolutely amazing compared to other free services. It makes sense from the Google perspective too. If they pick up spam in the inbox, it's going to throw off their targeted marketing and ads. As an indicator, I report about 3-4 spam emails a year that I find in my inbox. Because of this ratio, all users take a minimal responsibility to protect the entire group.

          As far as Microsoft and Yahoo, I see you being naive in accepting their jargon and promises. I believe the true picture takes shape when you consider the $44,000,000,000 bid by Microsoft to acquire Yahoo. MS is out to compete with Google and based on their past experience, they will bend or break any law to get there. Just look at the MS Eula. What's to stop them from changing their agreement for Hotmail and Yahoo Mail at any time? I think your defense of MS and Yahoo will falter based on the data gathering needs of a giant like MS. Really, why would they spend that kind of money for non-targeted ads - it just doesn't make sense.

          What good is Hotmail if it runs on Microsoft Servers? Just look at the recent Heartland disclosure - 100 million credit and debit account thefts. Best guess is they were using Microsoft-IIS/6.0 (Netcraft.com). I use Linux and I would trust my data with it any day over MS.

          What's wrong with targeted advertising? It's not a problem it's an asset. If you buy online, you are really losing out by not having Google. I've had Gmail for 5 years and never saw any ad that was a problem or offensive. They use robots to scan and collect data and match with their database, there are no real people reading your emails. They are only working with generic items that have a marketing interest. I've never noticed anything inappropriate.

          MS has the added advantage of using Vista and Win7 for data gathering. The Eula sure enough protects them. Why worry about just email when they can get data from everything you do on their OS. Does that fit into the DOJ reguations? If they get the same information from the OS, does that make it legal?

          My feeling is that all this critical update and WGA nonsense masks their data gathering exploits. Vista is just too big and XP is being turned into a Vista by service packs and updates. Yeah, they will do a critical update, but what else comes with it? It's closed source and protected by the Eula that you agreed to. That's why open source is so valuable -it can be examined for spyware.
          Joe.Smetona
          • one step further

            Use "scroogle scraper:"

            http://www.scroogle.org/cgi-bin/scraper.htm

            No personal info even gets to google. The search history is owned by scraper and is deleted after 30 days. It's never traceable to you. Can't beat that with Steve Ballmer's 3 wood driver.
            pgit
    • In other words...

      ...you are accepting a hearsay report of unsupported allegations on a right-wing nutbar website as evidence of something.

      I think you need a new tinfoil hat - that one's leaking.
      fairportfan
  • RE: Google plugs ?high-risk? holes in Chrome browser

    It is funny how the industry works in real world. We sent an email to Mr.Dancho letting him know about release of Google Chrome ClickJacking, though he has never responded to us lately. Hence, we considered this as our last email to ZDNET Security team.

    http://evilfingers.com/advisory/Advisory/Google_Chrome_1.0.154.43_ClickJacking_Vulnerability.php released the Google Chrome 1.0.154.43 ClickJacking Vulnerability yesterday and ZDNET Security team did not want to post the truth we guess.

    It is good to tell the truth to the people that they are insecure, rather than telling a lie that could cost their fortune.
    EvilFingers
  • This is amazing only 7 talkbacks so far!!!

    If this had been a flaw in IE8, good lord, i am sure to have seen atleast 500 messages spewing blood and hatred onto Microsoft. Now that peoples beloved Google's software has security issues, not many people are ready to talkback about it, lest accept it!
    TruthBeTold
    • .......

      Probably because there aren't many people in the world who can be bothered using chrome.
      Scarface Claw
    • Maybe because...

      ...ZDNet had some problems earlier today.

      I couldn't log in to save my life, not with IE, nor FireFox it's a safe bet it wasn't a browser issue. ZDNet wouldn't even let me create a new user ID.

      Given the lack of posts here and elsewhere, it's likely to be a problem on their end, which has since been rectified...
      Wolfie2K3
    • You have to differentiate OS's

      Everything is a problem with MS. Period.

      The open source programs like OpenOffice and Firefox are written up like they have flaws. They have flaws alright - like trying to protect Windows quriks.

      If you use Linux, there really isn't any concern for security when using OpenOffice or Firefox. It's a non-issue. Unfortunately, trying to get a program to work with Windows and be secure isn't easy.

      Chrome is no different. I prefer it for everyday use, but will also use it on Linux when it becomes available. It's faster than anything else.
      Joe.Smetona
    • Maybe because

      It was actually fixed as soon as it was discovered, rather then left in for months like the numerous IE exploits (which actually allow arbitrary code execution on the OS)..
      AzuMao
  • RE: Google plugs ?high-risk? holes in Chrome browser

    " ... we considered this ..." is in the past tense. So, may I assume you will mail to ZDNET Security team in the future?? What made you change your mind?
    gerard.de.graan@...
  • Google

    Here's my main issue. I don't mind adding this and that to my computer to provide higher levels of digital security. But with Google laying off and the grid in parts shutting down and leaving information and technology gaps everywhere, how can I be sure that my technology is still safe?

    I'm wondering if you wouldn't mind writing a speculative article on that kind of subject. The real issues that we are thinking about. We know about the technology. We just want to know if it will continue to work for us.

    I was looking through http://www.justaskgemalto. I found it educational certainly but wondering about your professional perspective.
    Andrew Merrick