< Browse > Home / Internet News / Blog article: Google fixes two critical Chrome bugs

| Mobile | RSS

Google fixes two critical Chrome bugs

August 26th, 2009 | 1 Comment | Posted in Internet News

Multiple serious security bugs in the Google Chrome browser could expose users to code execution attacks, according to an advisory released August 25.

The flaws, rated “high risk,” have been addressed in Google Chrome 2.0.172.43, which is released automatically to Chrome users.

A flaw in the V8 JavaScript engine might allow specially-crafted JavaScript on a web page to read unauthorized memory, bypassing security checks. It is possible that this could lead to disclosing unauthorized data to an attacker or allow an attacker to run arbitrary code.

Other flaw pertained to potentially fraudulent HTTPS sessions, and the more dangerous of the two could be triggered by visiting a maliciously-crafted page with certain XML content. Google has pushed out version 2.0.172.43 of Chrome already, making it available for download to anyone who uses Chrome. If you haven’t updated already, it’s a good idea to snag it.

Interestingly, Google is crediting how they discovered the flaws.  Google gave credit to Mozilla’s security team who found these flaws.

Details on the serious issues:

  • CVE-2009-2935 (High Severity): A flaw in the V8 Javascript engine might allow specially-crafted Javascript on a web page to read unauthorized memory, bypassing security checks. It is possible that this could lead to disclosing unauthorized data to an attacker or allow an attacker to run arbitrary code.  Technical details are being withheld until the fix is shipped to a majority of Chrome users. An attacker might be able to run arbitrary code within the Google Chrome sandbox
  • CVE-2009-2416 (High Severity) Pages using XML can cause a Google Chrome tab process to crash. A malicious XML payload may be able to trigger a use-after-free condition. Other tabs are unaffected. An attacker might be able to run arbitrary code within the Google Chrome sandbox.

With this update, Google Chrome will no longer connects to HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms. These algorithms are considered weak and might allow an attacker to spoof an invalid site as a valid HTTPS site, Google explained.

Related Posts with Thumbnails
Leave a Reply 832 views, 4 so far today |
Tags: , , , , , , , , , , , , , , , , , , , ,


Related Post :
People found this page with keyword :
Follow Discussion

One Response to “Google fixes two critical Chrome bugs”

Trackbacks

  1. Arthur Levinson quits Google board | Seo, Make Money Online and Technology  October 13th, 2009

Leave a Reply


Mallard in pondEntrance to Edinburgh University's Old QuadSunset in Old CollegeEarless in InverleithSamyang 85mm at f1.4Fire spinner at HolyroodCan you hold that pose while we adjust our cameras?Ancient Fire Wheel Defeats Modern Flash GunFire spinners at HolyroodThe fire spinners session at Holyrood

Recent Post

Most Popular

Popular Today