Chrome update prevents escape from sandbox
Google has published version 10.0.648.205 of Chrome, a security update for the Windows, Mac OS X and Linux version, as well as Chrome Frame for Internet Explorer. According to Google, the update addresses three vulnerabilities related to support for GPU acceleration. They are all considered critical; Google says they allow an attack to break out of the sandbox and gain access to the operating system. One of the GPU vulnerabilities, however, only affects the Windows version of Chrome.
The new Chrome version also contains a revised Flash Player plug-in from Adobe, in which a recently reported vulnerability is patched. Adobe plans to release this version of the plug-in for other browsers over the course of the day. Adobe says that Google implemented the change faster because it does not have to test as many scenarios and combinations as Adobe does before a new version completes quality assurance testing.
Adobe Reader and Acrobat are also affected because they also contain a Flash engine. An update is planned for Adobe Reader 9.x and Acrobat 9.x on 25 April. The update for Adobe Reader X is not expected to be released until June; as its sandbox takes attacks into a dead end, the problem is not so urgent.
Chrome 10.0.648.205 is available to download for Windows, Mac OS X and Linux from google.com/chrome. Users who currently have Chrome installed can use the built-in update function by clicking Tools, selecting About Google Chrome and clicking the Update button.
- Chrome to block downloads of hazardous .exe files, a report from The H.