Google closes three vulnerabilities in Chrome 2
Two vulnerabilities in the libxml2 library have been fixed that could have also allowed an attacker to use a malicious XML payload to crash a Google Chrome tab process and even execute arbitrary code within the Chrome sandbox. As with the previous vulnerability, for an attack to be successful, the victim would need to visit a compromised web page.
Additionally, Google has also revised the way in which Chrome processes SSL certificates. From now on, the browser will no longer connect to HTTPS sites with certificates that are signed using MD2 or MD4 hashing algorithms. Google considers the algorithms, which are vulnerable to collision attacks, to be weak as they could "allow an attacker to spoof an invalid site as a valid HTTPS site".
Users that currently have Chrome installed can update using the built-in update function by clicking Tools, selecting About Google Chrome and clicking the Update button.
- Stable Update: Security fixes, security advisory from Google.
- Vulnerabilities in different vendors XML parsers, a report from The H.