More security issues with Google Chrome

Very recently, I had written about Security Problems with Google Chrome and how a FIX had been released to resolve the issue. But it appears that within a span of two weeks, Google Chrome has been updated with two more security patches, to fix a pair of vulnerabilities, one being critical and the other high risk.

clip_image002Very recently, I had written about Security Problems with Google Chrome and how a FIX had been released to resolve the issue. But it appears that within a span of two weeks, Google Chrome has been updated with two more security patches, to fix a pair of vulnerabilities, one being critical and the other high risk.

Vulnerabilities

  • Critical: An attacker might be able to run code with the privileges of the logged on user.
  • High: An attacker might be able to run arbitrary code within the Google Chrome sandbox.

Silent Updates

Google Chrome is released as a silent update, meaning that the browser patches itself without the user’s knowledge.

Google Chrome Security Fixes

CVE-2009-1441: Input validation error in the browser process

A failure to properly validate input from a renderer (tab) process could allow an attacker to crash the browser and possibly run arbitrary code with the privileges of the logged on user. To exploit this vulnerability, an attacker would need to be able to run arbitrary code inside the renderer process.

Mitigation: An attacker would need to be able to run arbitrary code in the renderer process.

CVE-2009-1442: Integer overflow in Skia 2D graphics

A failure to check the result of integer multiplication when computing image sizes could allow a specially-crafted image or canvas to cause a tab to crash and it might be possible for an attacker to execute arbitrary code inside the (sandboxed) renderer process.

Mitigation:

  • A victim would need to visit a page under an attacker’s control.
  • Any code that an attacker might be able to run inside the renderer process would be inside the sandbox

(Source: GoogleChromeReleases)

7 Comments

venkat May 7, 2009

Where Google Chrome posts about these fixes to vulnarabilties as Mozila fireofx did?they are doing silent updates user must know security level of chrome browser he is using.

Swati May 11, 2009

@Venkat,
I personally feel that it is better to inform the users about the security updates, then do it silently. It just doesn’t seem like the right thing to do, especially at a time when everyone knows about the major security problems Chrome has been facing in the recent past. Getting to know about it through blogs and news won’t leave behind a very good impression. However, I am sure some ppl might disagree. This is a debatable subject.

rahul May 8, 2009

i installed chrome but still like opera…….

Pranita May 9, 2009

i installed Google Chrome… it is not user friendly at all. This looks like very good info to me.

Irrespective of the security level and the technicality of it, it’s more important to see it in a lay-man’s perspective.

After using Google, Google Chrome does’nt look that user friendly. After the first install, i did not want it at all and now I am continuing with the old one.

Swati May 11, 2009

@Pranita,
Really? I never tried downloading it myself. All the security issues kinda’ scared me.

ZK@Web Marketing Blog June 17, 2009

Personally I’m still sticking with Firefox, mainly because of all it’s addons. I like what I’ve seen of Google Chrome, and will probably give it another go once it is out of beta (All Google software comes out of beta eventually, doesn’t it? :P)

Swati July 1, 2009

@ZK: Absolutely. I’d choose Firefox over Chrome too.