Google closes critical vulnerabilities in Chrome 5
Google has released version 5.0.375.127 of Chrome, a security update that addresses two "critical" and six "high" risk vulnerabilities in its WebKit-based browser. According to the developers, one of the critical issues related to the file dialogue could lead to memory corruption, while the second could cause a crash on shut down due to a notifications bug.
Additionally, the stable channel update addresses a number of high risk bugs that may, for example, lead to memory corruption while SVG handling, in MIME type handling (2x) and with Ruby and Geolocation support. Two other vulnerabilities related to text editing and a possible address bar spoofing bug, both rated as high, have been closed.
A medium risk problem has also been fixed that caused the address bar that sits at the top of the browser window (also known as the Omnibox), which doubles as a search box, to auto-suggest if the user may be about to type in a password. Further details of the vulnerabilities are being withheld until "a majority of users are up-to-date with the fix". All users are encouraged to update to the latest release as soon as possible.
As part of its Chromium Security Reward programme, launched earlier this year, Google has been rewarding those reporting security vulnerabilities. In total, Google has awarded more than $10,000 to those who discovered the above exploits in its browser, including Sergey Glazunov, Mike Taylor, kuzzcc and Team509's Wushi. Google Chrome developer Jason Kersey notes that Marc Schoenefeld was awarded with $1,337 for his help in closing a critical vulnerability in an external component, a Windows kernel bug.
More details about the Chrome 5.0 security update can be found in a post on the Google Chrome Releases Blog. Chrome 5.0.375.127 is available to download for Windows, Mac OS X and Linux from google.com/chrome. Users who currently have Chrome installed can use the built-in update function by clicking Tools, selecting About Google Chrome and clicking the Update button.
- Google's security team redefines "responsibility", a report from The H.
- First beta of Chrome 6 available, a report from The H.
- Google releases Chrome 5.0 for Windows, Mac OS X & Linux, a report from The H.