In association with heise online

06 November 2009, 10:28

Google closes vulnerabilities in Chrome 3

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Google has released version 3.0.195.32 of Chrome, a security update that addresses a high risk vulnerability in its WebKit-based browser. In addition to a number of stability fixes, the stable channel update fixes a bug that could lead to possible memory corruption in the Gears plug-in. For an attack to be successful, a victim would have to visit a site under the attackers control and give that site access to Gears. The attacker could then place the Gears SQL metadata into a bad state which, in turn would cause memory corruption that could cause the Gears plugin to crash or allow for arbitrary code execution.

The latest stable release also corrects a medium risk bug that prevents a user from being warned about possibly dangerous file types, such as SVG, MHT and XML files, which could lead to the execution of JavaScript with access to local resources. Further details of the vulnerabilities, however, are currently being withheld until "a majority of users are up to date with the fix", but have provided links to the withheld items in the issue tracker for the JavaScript and Gears SQL problems. Other changes include fixes for issues with Adobe Acrobat Reader 9.2 that would cause no content to be displayed, an infinite loop in AAC decoding, and a problem that would sometimes eat 100 per cent of the CPU.

More details about the release can be found in a post by Chrome Program Manager Anthony Laforge on the Google Chrome Releases Blog. Users that currently have a Chrome beta channel release installed can update using the built-in update function by clicking 'Tools', selecting 'About Google Chrome' and clicking the 'Update' button.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-852224
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit