In association with heise online

26 August 2009, 09:38

Google closes three vulnerabilities in Chrome 2

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Google Chrome.jpg Google has released version of Chrome 2, a security update fixing three vulnerabilities. A high-severity vulnerability in the V8 JavaScript engine could allow an attacker to run specially-crafted JavaScript on a page, bypassing security checks to read unauthorised memory, or even leading to the execution of arbitrary code. The vulnerability is reportedly contained to the Chrome sandbox. According to Google, for an attack to be successful, a "victim would need to visit a page under an attacker's control". Further details of the vulnerability, however, are currently being withheld until "a majority of users are up to date with the fix".

Two vulnerabilities in the libxml2 library have been fixed that could have also allowed an attacker to use a malicious XML payload to crash a Google Chrome tab process and even execute arbitrary code within the Chrome sandbox. As with the previous vulnerability, for an attack to be successful, the victim would need to visit a compromised web page.

Additionally, Google has also revised the way in which Chrome processes SSL certificates. From now on, the browser will no longer connect to HTTPS sites with certificates that are signed using MD2 or MD4 hashing algorithms. Google considers the algorithms, which are vulnerable to collision attacks, to be weak as they could "allow an attacker to spoof an invalid site as a valid HTTPS site".

Users that currently have Chrome installed can update using the built-in update function by clicking Tools, selecting About Google Chrome and clicking the Update button.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit