Google Plugs Major Security Hole in Chrome

rated by 0 users
This post has 3 Replies | 0 Followers

Top 10 Contributor
Posts 26,420
Points 1,193,075
Joined: Sep 2007
ForumsAdministrator
News Posted: Fri, Apr 24 2009 11:23 PM

Google recently updated its Chrome browser in order to fix a major security problem. The problem affects the mainstream stable version of Chrome and is fixed in the new version 1.0.154.59.  Chrome is built to automatically update itself, so users should receive this update without having to do anything. The update will require the software to be restarted before it takes effect. Should you need to manually force the download, you can do so by clicking the wrench icon in the upper right corner of the browser, selecting About Google Chrome, and clicking Update Now.
 

 

 

The security problem was originally reported on April 8th by Roi Saltzman of the IBM Rational Application Security Research Group. During unreleased research, Saltzman discovered a number of security issues that reside in various parts of Google Chrome that pose a threat to any user who visits a maliciously crafted page using Internet Explorer and has Google Chrome installed. The issue allows cross-site scripting attacks that can make a Web browser process unauthorized code and enable a variety of attacks including impersonation and phishing.
 

 

Mark Larson, Google Chrome program manager, further described the problem in a blog posting:

 

An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.

 

If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice.

 

The attack wouldn’t work if Chrome was already running. Saltzman noted the way Internet Explorer processes URL protocol handlers has been widely used to attack other applications in the past. Saltzman praised Google for its quick response and the way in which the company handled the situation.

 
 
  • | Post Points: 20
Top 10 Contributor
Posts 5,053
Points 60,715
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sat, Apr 25 2009 11:59 AM

>> Chrome is built to automatically update itself, so users should receive this update without having to do anything.

Virus idea #734: Create a super tiny trojan that does nothing but amend the hosts file so that when Chrome updates itself, it instead gets a malware infested version from Chinese servers that completely zombafies the host.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 20
Top 10 Contributor
Posts 5,053
Points 60,715
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sat, Apr 25 2009 12:01 PM

[fixed edits in first message]

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 5
Top 50 Contributor
Posts 2,917
Points 24,670
Joined: Jul 2001
Location: United States, New York
digitaldd replied on Mon, Apr 27 2009 10:01 AM

3vi1:

>> Chrome is built to automatically update itself, so users should receive this update without having to do anything.

Virus idea #734: Create a super tiny trojan that does nothing but amend the hosts file so that when Chrome updates itself, it instead gets a malware infested version from Chinese servers that completely zombafies the host.

 

That could be said of any Google software they all require the Google updater to update themselves. I would hope they have some sort of security measure built-in to verifiy the update was signed by Google. of course that could be faked as well.

 

  • | Post Points: 5
Page 1 of 1 (4 items) | RSS