Google plugs 'high risk' WebKit holes in Chrome
According to Google Chrome program manager Mark Larson, the most serious of the two flaws could allow hackers to execute harmful code in the browser's sandbox. It is rated "high severity."
A memory corruption issue exists in WebKit's handling of recursion in certain DOM event handlers. Visiting a maliciously crafted website may lead to a tab crash or arbitrary code execution in the Google Chrome sandbox. This update addresses the issue through improved memory management.
[ SEE: Study: Silent patching best for securing browsers ]
For an attack to be successful, the victim would havve to visit a Web page under the attacker's control. Larson said that any code that an attacker might be able to run inside the renderer process would be inside the sandbox.
The update also fixes:
An issue exists in WebKit's handling of drag events. This may lead to the disclosure of sensitive information when content is dragged over a maliciously crafted web page. This update addresses the issue through improved handling of drag events.
Google rates this a "medium" severity bug and warns that an attacker might be able to read data belonging to another web site, if a user can be convinced to select and drag data on an attacker-controlled site.
The patch is being pushed out to Google Chrome via the browser's silent/automatic update mechanism.