On TechRepublic: Weirdest error messages of all time
BNET Business Network:
BNET
TechRepublic
ZDNet

November 6th, 2009

High-risk flaw dings Google Chrome

Posted by Ryan Naraine @ 9:18 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Google, Google Chrome, Open source, Patch Watch, Responsible disclosure

Tags: Google Inc., Web Browser, Google Chrome, Arbitrary Code Execution, Details, Web Browsers, Security, Internet, Ryan Naraine

Google has pushed out a Chrome browser update to fix a pair of security vulnerabilities that expose uses to malicious hacker attacks.

One of the flaws carry a “high-risk” rating because of the threat of arbitrary code execution. 

[ SEE: Study: Silent patching best for securing browsers ]

  • Vulnerability #1: The user was not warned about certain possibly dangerous file types such as SVG, MHT and XML files. In some browsers, JavaScript can execute within these types of files. Because the JavaScript runs in the local context, it may be able to access local resources.  Details are being withheld until the fix is pushed out to a majority of users.
  • Vulnerability #2: A malicious site could use the Gears SQL API to put SQL metadata into a bad state, which could cause a subsequent memory corruption. This may lead to a Gears plugin crash or possibly arbitrary code execution. Google says this issue will be made public once a majority of users are up to date with the fix.

The patch is being silently distributed to all Google Chrome users.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 32 Talkback(s)
Your second example
Can be prevented by properly implementing HTTPS.

It is very important that all pages where
sensitive information is submitted implement it,
not just login pages.... (Read the rest)
Posted by: AzuMao Posted on: 11/12/09 You are currently: a Guest | | Terms of Use
no NoScript..No Google Chrome  znetlol | 11/06/09
They will never...  Ceridan | 11/06/09
You can block javascript in Chrome.  AzuMao | 11/06/09
Ah, but per-site Javascript blocking is what NoScript is for  Lerianis10 | 11/07/09
Worst way...  Ceridan | 11/09/09
When I said  AzuMao | 11/09/09
No ads either  LBiege | 11/06/09
What's wrong with..  AzuMao | 11/06/09
Bull, they already have an AdBlocker that is extenstion based  Lerianis10 | 11/07/09
SRWare Iron -- The Browser of the Future  BGunnells | 11/09/09
They don't want to give that option you are asking for  Lerianis10 | 11/07/09
They're developing extensions  Macintoshtoffy | 11/08/09
Quick question  Joe_Raby | 11/06/09
If these problems are a part of Webkit, then yes.  AzuMao | 11/06/09
r4ds says  rickyvogay | 11/07/09
I noticed that there was a BIG version jump  Lerianis10 | 11/07/09
The scariest thing about Chrome?  marksashton | 11/07/09
You are paranoid...  prof123 | 11/07/09
You are paranoid...  pparks_2000 | 11/09/09
Yes  AzuMao | 11/09/09
Only for sheep...  UAC nanny screen | 11/09/09
Why would you enter your credit card number in the search box???  AzuMao | 11/10/09
Jesus, are you clueless or what...  UAC nanny screen | 11/10/09
I was replying to you, not him.  AzuMao | 11/10/09
I know who you were talking to  UAC nanny screen | 11/10/09
@UAC nanny screen  AzuMao | 11/11/09
you need to be careful.  adr5@... | 11/10/09
If you're worried about the evil big brother knocking on your door when you  AzuMao | 11/10/09
Um, no.  AzuMao | 11/07/09
Then forget Chrome; Use Iron  BGunnells | 11/10/09
Seriously, do you people have any idea what you're talking about?  TheLightcosine | 11/12/09
Your second example  AzuMao | 11/12/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline