ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

High-risk flaw dings Google Chrome

By | November 6, 2009, 9:18am PST

Summary: A “high-risk” flaw in Google Chrome presents a threat of arbitrary code execution.

Google has pushed out a Chrome browser update to fix a pair of security vulnerabilities that expose uses to malicious hacker attacks.

One of the flaws carry a “high-risk” rating because of the threat of arbitrary code execution. 

[ SEE: Study: Silent patching best for securing browsers ]

  • Vulnerability #1: The user was not warned about certain possibly dangerous file types such as SVG, MHT and XML files. In some browsers, JavaScript can execute within these types of files. Because the JavaScript runs in the local context, it may be able to access local resources.  Details are being withheld until the fix is pushed out to a majority of users.
  • Vulnerability #2: A malicious site could use the Gears SQL API to put SQL metadata into a bad state, which could cause a subsequent memory corruption. This may lead to a Gears plugin crash or possibly arbitrary code execution. Google says this issue will be made public once a majority of users are up to date with the fix.

The patch is being silently distributed to all Google Chrome users.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Google Inc., Web Browser, Google Chrome, Arbitrary Code Execution, Details, Web Browsers, Security, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

34
Comments
Add Your Opinion

Join the conversation!

Just In

RE: High-risk flaw dings Google Chrome
lovedong 13th Sep
great psd. your works are amazing on DA. so beautiful
replica watches
View in thread
0 Votes
+ -
no NoScript..No Google Chrome
znetlol Updated - 6th Nov 2009
this is one of the reasons i don't want to get near this browser. Till Google wakes up and builds an add-on support for Adblock and NoScript, then and only then i might give it a try.

Chrome wont even give me the Option to manually disable Scripting.

When will that option be available? Chrome Version 10?

I am still waiting.

0 Votes
+ -
They will never...
Ceridan 6th Nov 2009
accept no-script because Google thinks that Javascript is the best thing since Coffee and therefore it would be heresy to block Javascript from executing.

Therefore Chrome will ALWAYS be more vulnerable then even IE because at least you can block Javascript in IE happy
0 Votes
+ -
You can block javascript in Chrome.
AzuMao 6th Nov 2009
Right click the shortcut, click properties, and
add "-disable-javascript" to the end of path.

Still, it really should have a way to do it on a
per-site basis.

Ah well.. it's not like Firefox is going away
anytime soon.
0 Votes
+ -
Ah, but per-site Javascript blocking is what NoScript is for
Lerianis10 7th Nov 2009
And they ARE working on a version of NoScript for
Google Chrome.... it's just taking longer than
usual because Google is still 'tweaking' Extension
support and the only version right now with
Extension support is the 'bleeding-edge' Dev
version.
0 Votes
+ -
Worst way...
Ceridan 9th Nov 2009
That is actually a bad way to stop Java-script because it's NOT IN THE OPTIONS. So in this effect... IE is more secure because you can disable Javascript not only by websites but completely by just using a checkbox.

(note: unlike no-script, the IE way to block javascript and allow them per website basis requires a bit of work).
0 Votes
+ -
When I said
AzuMao 9th Nov 2009
"Still, it really should have a way to do it on
a per-site basis."


I thought it would be obvious to most people that
this is not a way to do it on a per-site basis.
0 Votes
+ -
No ads either
LBiege 6th Nov 2009
hohoho, Google will never publish an AdBlocker so FireFox all the way.
0 Votes
+ -
What's wrong with..
AzuMao Updated - 6th Nov 2009
..all the proxy and hosts-file based adblockers?
0 Votes
+ -
Bull, they already have an AdBlocker that is extenstion based
Lerianis10 7th Nov 2009
It is aptly called..... AdSweep! Do a simply
Google search for it, and you will find it very
easily.

It works pretty well as well, though it 'breaks'
some websites.... just a few though.
0 Votes
+ -
SRWare Iron -- The Browser of the Future
BGunnells 9th Nov 2009
Sleek and fast. Check out the Iron browser from SRWare:

http://www.srware.net/en/software_srware_iron.php

"SRWare Iron is a real alternative. The browser is based on the Chromium-source and offers the same innovative features as Chrome -- without worrying about your privacy."

Iron has an easy to use and built-in ad-blocker which can be configured by a single file.

The current version of Google Chrome uses Version 530.5 of the Rendering-Engine WebKit and Version 1.1.10 of the V8 Javascript-Engine.

Iron uses the most up-to-date version (532.0) of Webkit and V8 (1.2.14) which is significantly faster.
0 Votes
+ -
They don't want to give that option you are asking for
Lerianis10 7th Nov 2009
Because enabling it BREAKS TOO MANY WEBSITES. I
am not kidding there, I totally disabled
JavaScript on Firefox one time... it broke 90%
of the websites I went to, including
USAToday.com, Baltimoresun.com, and
ChicagoTribune.com

I couldn't believe how many websites it broke.
Too many websites today use JavaScript and
other scripting, so disabling it (unless it is
on a site by site basis) is a bad idea.

Oh, and Google DOES support NoScript... it's
just that the people who make that thing
haven't made a version that is COMPATIBLE with
Google Chrome yet, because the Extension
support is still only in the 'bleeding edge'
Developer Version.
0 Votes
+ -
They're developing extensions
Macintoshtoffy 8th Nov 2009
They're developing extensions as part of Webkit but the question is about
creating something that expands functionality but doesn't increase
instability or possibility of crashing the browser. I would sooner Google,
Apple and so forth take their time and get the extension API designed
properly instead of rushing it.
0 Votes
+ -
RE: High-risk flaw dings Google Chrome
lovedong 13th Sep
great psd. your works are amazing on DA. so beautiful
replica watches
0 Votes
+ -
Quick question
Joe_Raby 6th Nov 2009
Are all of these common security flaws actually built into the Webkit rendering engine, or just the rest of the software?

Wouldn't Safari be prone to these issues too, if they are a part of Webkit?
0 Votes
+ -
If these problems are a part of Webkit, then yes.
AzuMao 6th Nov 2009
Safari, however, doesn't automatically install
security updates like Chrome does.
0 Votes
+ -
r4ds says
rickyvogay 7th Nov 2009
Thanx for the valuable information. I think Chrome works fine and there is no big deal about security.... keep posting. Will be visiting back soon.
(r4ds)
0 Votes
+ -
I noticed that there was a BIG version jump
Lerianis10 7th Nov 2009
In Google Chrome today.... this must be the reason for
that. At least Google got a patch out VERY QUICKLY for
this issue, unlike Microsoft who can take up to a year to
find a fix for these issues (but that's mainly because of
ingrained IE in Windows Vista and XP).
0 Votes
+ -
The scariest thing about Chrome?
marksashton 7th Nov 2009
At a recent RSA conference there was a demo of a keylogger when using Chrome. Google logs EVERY keystroke that you type into the search box/address bar in Chrome. Even if you backspace to erase your search term, Google has recoreded what you were THINKING about searching. I'm not a tinfoil hat type but that's just plain scary.
0 Votes
+ -
You are paranoid...
prof123 7th Nov 2009
It is true, they do record every word you type and I find
that it improves the results I'm getting. This is no big
secret, everybody know. Personally, I have no problem
with that since I have nothing to hide. Whatever I
search for, I'm not ashamed of it.

I suppose if I was something illegal, I would take
measures that would make my tracking impossible..
i.e. use cash instead of credit card, use internet cafe, IP
masking software, encryption, clandestine meetings in
the woods)
0 Votes
+ -
You are paranoid...
pparks_2000 9th Nov 2009
Unfortunately you have hit the nail on the head with your statement "This is no big
secret, everybody know." If Chrome is capturing the keystrokes it doesn't matter if what you are typing into the search box is something embarassing or not. The point is , if the "bad guys" know they can use the register Chrome is storing those keystrokes in, they can capture your user names, passwords, ect to your bank account or any other online service you use. You might want to think about using measure that would make capturing this data even more difficult if you:

a. use Chrome to do online banking or access secured servers

b. you don't want to have your identity stolen

just my two cents worth.
0 Votes
+ -
Yes
AzuMao 9th Nov 2009
If the "bad guys" convince you to type your credit
card number into the search box, without turning
off search suggestions, and they somehow gain full
control over Google's servers, and pull all of
these things off simultaneously, they could
get your credit card number!

Of course, it would be easier just to convince
someone to email you their credit card number.
0 Votes
+ -
Only for sheep...
Wintel BSOD 9th Nov 2009
...who like big brother tracking your every move.

Which is another yet another reason I won't use Chrome. Unless you insist everybody does what you do

I suppose if I was something illegal, I would take
measures that would make my tracking impossible..
i.e. use cash instead of credit card, use internet cafe, IP
masking software, encryption, clandestine meetings in
the woods)

Oh I see, so entering cc numbers online is considered "illegal activity"?

Are you being snide or stupid?
0 Votes
+ -
Why would you enter your credit card number in the search box???
AzuMao 10th Nov 2009
Usually people only enter something in the search
box if they want to ask a search engine to search
for it.. which of course, results in sending it to
the search engine, duh.
0 Votes
+ -
Jesus, are you clueless or what...
Wintel BSOD 10th Nov 2009
Go back and read it again. He wasn't talking about entering CC numbers in a search box. He was talking about using cash instead of entering CC numbers on the internet.

And when do people usually enter CC numbers?

I'll give ya a hint... When you ***** something.
0 Votes
+ -
I was replying to you, not him.
AzuMao 10th Nov 2009
Anyways, you obviously didn't read his post
either. He wasn't saying it's illegal to use a
credit card. He was saying it makes it easier to
track you, and that if you're doing something
illegal you want to avoid being tracked.

So you actually have no point whatsoever. Read
before replying next time.
0 Votes
+ -
I know who you were talking to
Wintel BSOD Updated - 10th Nov 2009
And as usual, you are blinded by the chrome that's out there.

He was being snide and idiotic by mentioning meeting in the woods, using cash etc...

And since I'm not buying anything from Google, there's no reason for me to use their browser as an open window for my buying habits. If they want that, they're gonna have to get it from somewhere else.

The fact is people are protected by credit card fraud. It's not perfect, but when you order something online, it's usually through a ssl webpage or a site that uses VeriSign digital key verification and anti-phising filters.

And even if somebody tracked your cc in order to commit fraud, the customer is still only liable for the first $50 of that fraudulent transaction.

Or maybe you're not old enough to have a credit card so you don't know that. Right, little man?
0 Votes
+ -
@UAC nanny screen
AzuMao 11th Nov 2009
Again; do you have any point whatsoever?

Last time I checked, Chrome supported SSL.

And the only thing that gets sent to Google's
servers is what you type into the search bar,
and even that can be disabled by going to
options>under the hood and unchecking search
suggestions.

So what (if anything) are you trying to get at??
0 Votes
+ -
you need to be careful.
Al_nyc 10th Nov 2009
ever heard the phrase "anything you say can be used against you"? Well, "anything you type can be used against you" is also true. So you should be concerned.
0 Votes
+ -
If you're worried about the evil big brother knocking on your door when you
AzuMao 10th Nov 2009
type "how do I make bombs?" into the search bar,
there's an easy solution; options>under the
hood>uncheck search suggestions.
0 Votes
+ -
Um, no.
AzuMao 7th Nov 2009
It's called search suggestions. Nothing new at
all. And in Chrome you can even disable it;
Options>Under>untick use a suggestion service
0 Votes
+ -
Then forget Chrome; Use Iron
BGunnells 10th Nov 2009
Iron is basically the same browser, built on the same source, but with no privacy concerns.

See post above (#1.2.3)...

-=B
0 Votes
+ -
Seriously, do you people have any idea what you're talking about?
TheLightcosine 12th Nov 2009
Okay let's start with what AzuMao keeps pointing out.
Google only logs what you type in the search bar.
entering a credit card number on a website doesn't get
recorded. If you can't tell the difference here, your
opinion is already invalidated as it is obvious you
are an idiot. furthermore, again as Azumao points out,
you can turn that feature off.

Now let's think about this idea that some hacker could
use this feature to somehow steal this information.
Discounting the above, pretend it isn't true, and
Chrome records everything(remember that you are a
moron if you believe this) There are three ways a
ahcker could make use of this

1)Steal the data from google's servers, not saying
it's impossible, but rather unlikely, wouldn't you say

2)Intercept the data in transit. But oh wait, if they
can do that then they could intercept the original
data, so why bother with what's sent to google?

3)Get it from in memory on it's way out. yet again, if
the hacker can do this to your machine, it doesn't
matter what browser you're using or whether it splits
the data somewhere else. They could do it anyways.


So for the concerns everyone keeps hashing out here to
actually be valid, google would have to for some
reason record everything you do in Chrome(why on earth
would google care about your fantasy football league?)
AND would have to have their servers breached. Why
would any fraudster or hacker go this route when they
can convince people to download software or click on
links that any sane human being would realize they
shouldn't?

The joke of information security these days, is all
the poseurs obsessed with perceived security with no
real understanding of the true threats.
0 Votes
+ -
Your second example
AzuMao 12th Nov 2009
Can be prevented by properly implementing HTTPS.

It is very important that all pages where
sensitive information is submitted implement it,
not just login pages.
0 Votes
+ -
RE: High-risk flaw dings Google Chrome
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix