madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

High-risk vulnerabilities hit Google Chrome

By | August 25, 2009, 1:21pm PDT

Summary: Google has shipped a new version of its Chrome browser to fix multiple serious security flaws that expose users to code execution attacks.

Multiple serious security flaws in the Google Chrome browser could expose users to code execution attacks, according to an advisory released today.

The flaws, rated “high risk,” have been addressed in Google Chrome 2.0.172.43, which is released automatically to Chrome users.

Details on the serious issues:

  • CVE-2009-2935 (High Severity): A flaw in the V8 Javascript engine might allow specially-crafted Javascript on a web page to read unauthorized memory, bypassing security checks. It is possible that this could lead to disclosing unauthorized data to an attacker or allow an attacker to run arbitrary code.  Technical details are being withheld until the fix is shipped to a majority of Chrome users. An attacker might be able to run arbitrary code within the Google Chrome sandbox
  • CVE-2009-2416 (High Severity) Pages using XML can cause a Google Chrome tab process to crash. A malicious XML payload may be able to trigger a use-after-free condition. Other tabs are unaffected. An attacker might be able to run arbitrary code within the Google Chrome sandbox.

With this update, Google Chrome will no longer connects to HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms. These algorithms are considered weak and might allow an attacker to spoof an invalid site as a valid HTTPS site, Google explained.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Google Inc., Attacker, Vulnerability, Google Chrome, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

35
Comments
Add Your Opinion

Join the conversation!

Just In

RE: High-risk vulnerabilities hit Google Chrome
birumut Updated - 29th Apr
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
High-risk vulnerabilities hit Google Chrome
Loverock Davidson 25th Aug 2009
This software was programmed by Google, did anyone not see this happening? Google has the worst programmers because they don't give two squats about anything except playing with their office toys all day.
0 Votes
+ -
Chrome slaughters IE
fr0thy2 25th Aug 2009
in performance terms, but you wouldn't know because Microsoft didn't tell you that.

Oh, and it works on multiple operating systems. MS can't even get MS apps to work properly on an MS OS. That is funny.
0 Votes
+ -
So you're saying that Chrome compromizes its users' safety faster than IE?
de-void-21165590650301806002836337787023 25th Aug 2009
Precisely.

All the speed in the world does not make up for even ONE security flaw.

Perhaps Google should be spending more time making sure that they build the substrate of Chrome so that it's safe and secure FIRST. Speed can come later.
0 Votes
+ -
...Faster than IE?
wolftalamasca 25th Aug 2009
And we all know IE has NO flaws... just like
it's operating System. Those security holes are
there as features.

IE has full access to the OS and user data that
no other web browser has, and does not use -
individual- processes for it's tabs.. with
individual sandboxes to limit the damage a flaw
like this, or future unseen ones, can do.

Chrome is not perfect, granted. I have privacy
concerns with any/all browsers, and chrome's
parent's obsession with
collecting/storing/manipulating data (be that
you can supposedly shut it off or not) just
plain frightens me. But making petty fun of it,
with ludicrous statements... and even more
petty slinging at it's window colors... just emphasizes what kinds of narrow minded, hurtful
"my os/app is better than yours.. cause more
people use it and I believe it's always right"
kind of juvenile mentality people have here.

Stop nit-picking and point'n'laughing at the
little bugs which every os/app will get hit
with... and discuss the larger issues.
0 Votes
+ -
Eye of the beholder.
ShadowGIATL 25th Aug 2009
And we all know IE has NO flaws... just like
it's operating System. Those security holes are
there as features.

All OS and browsers have flaws. It's that simple.

IE has full access to the OS and user data that no other web browser has, and does not use - individual- processes for it's tabs.. with individual sandboxes to limit the damage a flaw like this, or future unseen ones, can do.

Actually, IE 8 does sandbox. While I'm actually a fan of Firefox, and have become disgruntled with IE8, it does recover from errors better then some browsers. However, it does have more errors then most. None are perfect. Far from it.

Chrome is not perfect, granted. I have privacy concerns with any/all browsers, and chrome's parent's obsession with collecting/ storing/ manipulating data (be that you can supposedly shut it off or not) just plain frightens me.

Google contains entirely way to much info about everyone in more ways than most people know about. It really is scary. I'm not one to run around making claims that they know who the data belongs to induvidually, but the fact remains that they do collect tons of information, anonomously or not about everything. And now they want your iPhone contacts AND your health records? No tahnks. They made a great search engine, and have contributed good code to open source. They should stop there. But this is my personal opinion.

But making petty fun of it, with ludicrous statements...

Maybe people take everything to seriously? Hmm..

and even more petty slinging at it's window colors...

That said... the color scheme does suck. It's to much like Vista's basic theme. I like Firefox's mockups with glass built into it. Looks more intergrated and professional. Chrome kinda looks like something you'd find on a VTECH for kids. Again, just my opinion.

just emphasizes what kinds of narrow minded, hurtful "my os/app is better than yours.. cause more people use it and I believe it's always right" kind of juvenile mentality people have here.

Works both ways... well... three ways. There are fanboys on all sides, and they are all equally annoying.

Stop nit-picking and point'n'laughing at the
little bugs which every os/app will get hit
with... and discuss the larger issues

But then how would everyone enterain themselves? For some, this is all they have to keep them from going postal.
0 Votes
+ -
All browsers have bugs
scarybeasts 25th Aug 2009
All browsers have bugs, simply because they are
massive and hugely complex pieces of software.

The question is, how does a given browser
compensate given the above reality? Chrome has a
built-in sandbox and rapid updates.

Chris Evans, Chrome Security Team
0 Votes
+ -
You'll be happy to know
John Zern 25th Aug 2009
that Google is basing their "OS" off of their Chrome browser.

Virus/Malware writers start your coding!

LOL!
0 Votes
+ -
For a browser built from the ground up with security in mind
NonZealot 25th Aug 2009
there seem to be more than an insignificant number of highly critical vulnerabilities in Chrome. I say this as someone who runs Chrome on his home PC and appreciates it but I must admit that I'm disappointed by how badly Google seems to have missed what they claimed was their #1 top priority.
0 Votes
+ -
I'm waiting for these to subside
Michael Kelly 25th Aug 2009
before I even start trying Chrome. For something like a web browser it pays to wait for it to mature.
0 Votes
+ -
You hit the nail on the head
fr0thy2 25th Aug 2009
of why not to use MS stuff.

Every time they get anything remotely stable or secure it's "shareholder gouge the punter" time again with new unsafe stuff.
0 Votes
+ -
Sounds like Google
John Zern 25th Aug 2009
more then you'll ever want to admit to!

LOL!
0 Votes
+ -
I guess...
ShadowGIATL 25th Aug 2009
it's MSFT's fault Google can't keep chrome secure? And that Apple can't keep Safari secure? And so on and so on.

Even when the security bugs are in the browser and not the OS. And even when it happens on Linux and OSX. But at least Google patched it quick.

No one has really mentioned that they have at least gotten better about patching it more quickly, and had the decency to tell everyone and not silent patch to hide it.

Nah... lets focus on things that have nothing to do with the subject instead.
0 Votes
+ -
Ground Up ????
knudson 26th Aug 2009
I thought Chrome was based on an older, with some security issue's, version of Safari ???
0 Votes
+ -
Still only execute code *within* the sandbox.
honeymonster 25th Aug 2009
It appears that the sandbox put in place by Google (and Vista/Windows7) is still effective.

Translation: An attacker exploiting these vulns can "only" take over the browser session. He cannot change preferences, but he may be able to snoop on traffic and redirect Chrome to dodgy sites. But once you close the browser, the attackers session goes down with it.

Tips hat for sandboxing Chrome.
0 Votes
+ -
Ah, I missed that part
NonZealot 25th Aug 2009
That makes me feel better. I thought the line that talked about bypassing security checks meant that any exploits could escape the sandbox.

Tips hat for sandboxing Chrome.

Ditto and I take back my earlier comment about being disappointed, it was based on my mistaken belief that the sandbox had been bypassed. Every browser will have vulnerabilities and they all need extra protection like those you get with IE Protected Mode, Chrome Sandboxing, and Linux's AppArmor. Shame, shame, shame on any browser (including my favorite, Firefox) that offers no layered protection against vulnerabilities.
0 Votes
+ -
RE: High-risk vulnerabilities hit Google Chrome
goingbust 25th Aug 2009
The fact that an application can "read unauthorized memory" at all is an indictment of the operating system, not the application.
0 Votes
+ -
Yep, you are exactly right
KTLA 25th Aug 2009
As with every other security issue (regardless of the app) Windows is yet again to blame with shoddy programming.

Just run OSX and none of this can happen.
0 Votes
+ -
You are kidding, right?
NonZealot 25th Aug 2009
Just run OSX and none of this can happen.

Gee, Apple disagrees with you.
http://support.apple.com/kb/HT3733
A heap buffer overflow exists in the drawing of long text strings. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

There are OSs and architectures that are able to protect users from these types of things but OS X aint it! happy
0 Votes
+ -
BeOS...
ShadowGIATL 25th Aug 2009
as far as I know, there exists no exploits in the wild for BeOS.

I miss the little OS that didn't. It was solid and looked good.
0 Votes
+ -
FAIL
de-void-21165590650301806002836337787023 25th Aug 2009
The unauthorized memory referred to is memory within the process space of the host application.

If a page was to exploit this issue, all they'd be able to do is access memory within the process space of that sandbox instance.

This is something that is entirely down to the app to manage. Google's sandbox, in this case.
0 Votes
+ -
RE: High-risk vulnerabilities hit Google Chrome
znetlol 25th Aug 2009
I am not surprised. Chrome looks like something a third grader has build from his mommas basement. I'll probably use it in the near future. Say 2020?
0 Votes
+ -
It's got the wrong coloured border?
fr0thy2 Updated - 25th Aug 2009
Best stick with what you can handle then ...
0 Votes
+ -
I will...
ShadowGIATL 25th Aug 2009
I can handle FireFox much better. Thanks for the advice.
0 Votes
+ -
High risk spyware
privacy matters 25th Aug 2009
Chrome is spyware. It monitors every search and visits you make. You could be bugged by FBI for simply searching p**n!
0 Votes
+ -
The real point
jorjitop 25th Aug 2009
You don't need vulnerabilities to be at risk with Chrome. All Google products have built in spyware.
0 Votes
+ -
Wrong focus
trophygeek Updated - 25th Aug 2009
Ignoring the rational that somehow, out of the
hundreds of millions of internet users, you're
special and for some reason the FBI is watching
you, the real weak link in the privacy chain is
your ISP... not Google or Yahoo or even
Microsoft.

Besides, getting bank logins and credit card
number stolen is what we should really be
focusing on here.

Ranting about Google and your privacy is just
distracting novice users from the *real threat*
of getting their computer control (and thus
identity) stolen.

Google's has spent a lot of resources to make
Chrome for free and everybody I know who's at
at all technical usesit because it's a
magnitude more secure than other browsers.

Backing up my claims: put these terms into your
favorite search engine [hack chrome ie firefox
contest].

0 Votes
+ -
I think labeling this high risk is overstated
georgeou 25th Aug 2009
Chrome is pretty hard to crack and this is one of the few
problems that it has exhibited. This would seem to be a
medium-high risk.
0 Votes
+ -
Seems to me..
ShadowGIATL 25th Aug 2009
it's the vulnerability itself that determines the severity, and not the apps history. If a vault door hasn't been cracked in 100 years, would you consider a 4 square foot hole in the back only a minor security risk due to its past?
0 Votes
+ -
I was referring to the mitigating factors
georgeou 27th Aug 2009
I was referring to the mitigating factors e.g.,
the sandbox. That factor seems to indicate that
this is a medium-high (still high but not the
worst) risk.
0 Votes
+ -
They must have some reason...
ShadowGIATL Updated - 28th Aug 2009
to feel it was a pretty high risk. Why would they overstate the risk on their own software?

I'm not saying it is or isn't, but just stating they seem to think so. There is a possibility the exploit allowed for crossing the sandbox. At any rate, even inside a sandbox, an attacker would have access to anything within the sandbox, and that could include things such as bank acount info. Seems fairly serious enough to me.

Either way, it is less important how high the risk, but more that they had the decency to patch it quickly, and let the public know it was patched. They do have a history of hiding bugs and eploits and patching them silently so that people would think their software had less bugs. It backfired, and now they seem to make better efforts.
0 Votes
+ -
very much so
Narr vi 27th Aug 2009
The security architecture of Chrome wasn't
compromised, as the exploit could only have run in
a sandbox.

Quite the fearful comments out there, but with
this 'journalism', it's not a surprise.
0 Votes
+ -
Everyone needs an education here...
Cakalaky 26th Aug 2009
Look Chrome is the most secure browser available. Firefox, Safari, IE cannot compete with Chrome. In the latest Pwn2Own competition, it was stated that "Google's Chrome browser, however, was the only one left standing?a victory that security researchers attribute to its innovative sandbox feature." "Firefox, Safari, and Internet Explorer were all exploited..."

So everyone quit your complaining and trash talking Chrome and become educated before you rattle off something ignorant.

Read more here http://bit.ly/qGoYt

Plus for all you MAC lovers, it was hacked in 10 seconds read about it here http://bit.ly/SwZ8h
0 Votes
+ -
Google in General
vermonter Updated - 28th Aug 2009
They don't want to make Chrome too secure, because then they might not be able to secretly collect every scrap of data we can make available to them.

Replace "Skynet" with "Google", and you can see where this is heading..
0 Votes
+ -
RE: High-risk vulnerabilities hit Google Chrome
Whpan 28th Aug 2009
nice one.
0 Votes
+ -
RE: High-risk vulnerabilities hit Google Chrome
birumut Updated - 29th Apr
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources