Tuesday, September 9, 2008

Google issues first patches for Chrome

They're aimed at multiple security vulnerabilities; browser updates automatically

Just days after it rolled out Chrome, Google Inc. issued an update after Vietnamese security researchers reported a critical vulnerability in the beta browser.

According to Le Duc Anh, a researcher at Bach Khoa Internetwork Security (BKIS), which is housed at the Hanoi University of Technology, the Chrome beta posted last week contained a buffer overflow bug that could be used by attackers to hijack PCs.

The flaw can be triggered when the user saves a Web page -- using Chrome's "Save page as" command -- with a very long name. That, in turn, creates a stack-based buffer overflow that hackers can leverage to introduce additional malicious code.

"To exploit the vulnerability, a hacker might construct a specially-crafted Web page, which contains malicious code," said a security advisory issued by BKIS on Friday. "[The hacker would] then trick users into visiting his site and convince them to save this page. Right after that, the code would be executed, giving him the privilege to make use of the affected system."

Chrome 0.2.149.27 is affected by the vulnerability. BKIS maintained that, of several Chrome bugs reported last week, this is the only one that could be used to compromise a computer.

Google patched the vulnerability Sunday and released an updated beta, Version 0.2.149.29, the same day. "We've released an update to Google Chrome that fixes many of the issues reported here," said someone identified only as "Simon" in a Chrome support forum yesterday.

Refer here for another flaw in Google Chrome on Roger's Blog.

No comments: