News
Critical Vulnerability Patched in Google's Chrome
A Vietnamese security company has found a critical vulnerability in Google's new browser Chrome, but Google has already released a patch
By Jeremy Kirk, IDG News Service (London Bureau)
September 09, 2008 — CSO —
A Vietnamese security company has found a critical vulnerability in Google's new browser Chrome, but Google has already released patch for that problem and at least one more.
The vulnerability is one of several problems identified in the browser since it was released early last week. The bug is a buffer overflow that occurs if a user saves a Web page containing an overly long "title" tag, according to Bach Koa Internetwork Security (Bkis), based at the Hanoi Institute of Technology.
The browser can encounter a problem trying to save a file with the name contained in the overly long title tag. An attacker could then have control of the PC and could execute other code on the machine, Bkis wrote on its blog. The problem can be exploited on PCs running Windows XP SP2 and Chrome version 0.2.149.27.
Chrome users are advised to upgrade to the latest version. To do that, go to the wrench icon in the upper right hand corner of the browser and down to "About Google Chrome." The browser will then check for an update. If there is one, Chrome will download it and ask to restart. The up-to-date version is 0.2.149.29.
Although Google has been working on Chrome for two years, it still considers the browser a beta version. The company was using the browser internally among its employees for some time, but its surprise unveiling last week set the browser loose to the general public in more than two dozen languages.
Last week, researcher Aviv Raff wrote that Chrome had a vulnerability due to its use of an outdated version of WebKit web browser engine. The vulnerability is know as the "carpet bombing" flaw, which can cause Windows to download a potentially dangerous JAR (Java archive) and execute it without warning users. Google has also fixed that flaw, a company spokesman said Monday.
The second problem identified shortly after Chrome's release could allow hackers to force Chrome to crash. That vulnerability, found by security researcher Rishi Narang, could be exploited by constructing a malicious link of a certain format, according to Narang's advisory.
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
The Surest Path to Effective and Efficient Compliance
In this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.
- Make Compliance Regulations an Ally Not an Enemy
- Protecting Sensitive and Confidential Information with Endpoint Security
- Endpoint Security: Compliance at the Endpoint
- Revolutionizing Endpoint Security with a Single Agent
- Data Protection: Challenges for the Traveling User
- View Gartner Video: Best Practices on Web Application Security
- Unlock the Power of Device ID to Combat Online Fraud and Abuse
- Network Security Services: Outsourcing considerations for maximizing network protection
- File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
- Configuration Assessment: Choosing the Right Solution
- IT Service Management: Metrics That Matter
- Effective Security with a Continuous Approach to ISO 27001
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Executive Seminar on Application Security
-
January 29, 2009New York, New YorkRegister now »
-
February 25, 2009San Francisco, CaliforniaRegister now »
(ISC)2 members can earn up to 6 CPE Credits
Reference priority code ONLINE and attend this program as our guest — that's a $295 savings!
