Google closes three vulnerabilities in Chrome 2
Google has released version 2.0.172.43 of Chrome 2, a security update fixing three vulnerabilities. A high-severity vulnerability in the V8 JavaScript engine could allow an attacker to run specially-crafted JavaScript on a page, bypassing security checks to read unauthorised memory, or even leading to the execution of arbitrary code. The vulnerability is reportedly contained to the Chrome sandbox. According to Google, for an attack to be successful, a "victim would need to visit a page under an attacker's control". Further details of the vulnerability, however, are currently being withheld until "a majority of users are up to date with the fix".
Two vulnerabilities in the libxml2 library have been fixed that could have also allowed an attacker to use a malicious XML payload to crash a Google Chrome tab process and even execute arbitrary code within the Chrome sandbox. As with the previous vulnerability, for an attack to be successful, the victim would need to visit a compromised web page.
Additionally, Google has also revised the way in which Chrome processes SSL certificates. From now on, the browser will no longer connect to HTTPS sites with certificates that are signed using MD2 or MD4 hashing algorithms. Google considers the algorithms, which are vulnerable to collision attacks, to be weak as they could "allow an attacker to spoof an invalid site as a valid HTTPS site".
Users that currently have Chrome installed can update using the built-in update function by clicking Tools, selecting About Google Chrome and clicking the Update button.
See also:
- Stable Update: Security fixes, security advisory from Google.
- Vulnerabilities in different vendors XML parsers, a report from The H.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
