Google fixes Chrome vulnerabilities--but won't say which

Updated 1:44 p.m. PDT with details that Chrome automatically updates itself with no notification or choice for the user.

Google has quietly begun releasing a hastily prepared update to its Chrome browser to fix some security problems.

The new version, 0.2.149.29, replaces the 0.2.149.27 that was released when Google launched the Chrome beta version last week. Google started releasing the update Friday, initially to a small number of users, but didn't make much of an announcement about the change.

To check if an update is available, click the wrench icon in Chrome's upper-right corner, then select 'about Google Chrome.'

(Credit: Josh Lowensohn/CNET News)

"149.29 is a security update and we released it as fast as we could," said Mark Larson, Google Chrome program manager, in a mailing list posting on Sunday. "We would've liked more time to prepare things, but some of the vulnerabilities were made public without giving us a chance to respond, update, and protect our users first. Thanks for being patient as we work out the kinks in all of our processes."

However, Google isn't revealing details yet about what security issues it's fixed.

"All users have not received the update yet, so we cannot discuss the details of the security issues that were addressed, but we plan to disclose more information once the update has reached all of our user," the company said in a statement Monday.

To check if an update is available, Chrome users can click the wrench icon in Chrome's upper-right corner, then select "about Google Chrome." That will show both the version number and a message indicating whether an update is available.

Google knows best
Without a manual check, Chrome will update itself automatically, Google said. "Google Chrome will automatically checks for updates approximately every five hours. If an update is available, it will be downloaded and applied at the next browser restart," Google said.

Google believes it's best if Chrome applies security updates not only without a description of what's changing, but also without an opportunity for users to decide whether to accept the patch.

"Users do not get a notification when they are updated...When there are security fixes, it's crucial that we update our users as quickly as possible in order to keep them safe. Thus, it's important for us to not require user intervention," the company said in a statement."There are some security fixes that we'll keep quiet because we don't want to disclose security vulnerabilities to attackers."

The automatic update policy applies to security and bug fixes. "For major version updates, when feature changes are involved, we'll explore options for providing users with more details about the changes," Google said.

Microsoft and Mozilla encourage users to download and apply updates automatically to Internet Explorer and Firefox, respectively, but users can chose not to do so.

Automatic updates can cause indigestion in corporations where internal administrators often want control over what software is running or not for compatibility, security, and other reasons. But browser browser vulnerabilities loom larger as more applications move to the Web and more people rely on those services, and automatic updates can help nip attacks in the bud.

Open-source redactions
Don't look for clues about the vulnerabilities in the Chrome source code. The open-source Chromium project has publicly available mailing lists and source code, but many recent changes to the code base are redacted to show only a blank page rather than the detailed changelog notes of other changes.

"Most of the changes are visible, aside from security changes, which we must keep private in order to keep users safe," Google said of the changelog.

Programming fans also won't be able to glean any insights from the Chrome update plug-in, which is proprietary.

"We use this updater and the server architecture it interfaces with to update across many of our products, some of which are not open source," Google said. "It's not that we are trying to hide anything; rather, it's just that this update infrastructure is not intended to be used by others who may distribute their own versions of the browser based on Chromium code."

Reported vulnerabilities
One security problem found in Chrome version 0.2.149.27 is a carpet-bombing vulnerability that could help an attacker install malicious software on a user's computer without giving the user a chance to accept or reject the download. Google assigned the problem a top priority.

Another reported issue in Chrome 0.2.149.27 is a buffer overrun that could allow an attacker to run arbitrary code on a user's computer and thereby take control of it, according to Bach Khoa Internet Security.

The company was willing to discuss some other details about the update, though. For one thing, the company updated a JavaScript problem that could cause problems using Facebook. For another, it fixed a problem that would crash the entire browser if a person typed "about:%" into the address bar. Google called the problem "non-exploitable, but very annoying," reflecting the removal of the "security" label from the bug report.

[Galaxy5]

Well, they're almost as bad as "Bug Fixes" Apple.

[joetesta70]

LOL! Yea, I'm switching from FF3 to Chrome - as if!

[Vegaman_Dan]

They won't say what was fixed until every browser is updated? But... I tried it and haven't run it since then. Will they be holding up their announcements until I run Chrome and get it patched? Or is this just a nice excuse to never have to admit or explain anything since it's impossible to get every single installation patched?

Sounds like a convenient excuse.

[AppleSuxLeo]

Chrome is all hype. IE8 is the best of them all...even better than FF3. Let me explain.
I noticed that my TV app would begin to stutter and get chppy when using Chrome AND FF , but no such problems when using IE 7/8. After reading an article on CNN.COM I now know why. On real world web pages and most have Flash on them , Chrome and FF both hammer the CPU !!! With IE there is very minimal CPU usage shown to accomplish the same task. I don`t care what Google says about some javascript test being faster , because I`m seeing IE 8 be just as quick with MINIMAL CPU load on all websites. And IE 8 has many more useful features than Chrome and a better layout than their Fisher-Price interface. Real world testing shows IE 8 to be just as fast as Chrome ! Chrome...nothing but hype !

[Lerianis]

********. Chrome, Firefox and IE7/8 should all be hammering the CPU for Flash, unless Microsoft has put in a sneaky 'flash booster' somewhere in IE7/8.
I've open flash pages in Chrome, Firefox and IE7/8.... all of them don't hammer the CPU. Try foisting your BS on someone else who hasn't tested these issues.

[lmasanti]

quote:
"However, Google isn't revealing details yet about what security issues it's fixed."

It appears that Google is following Apple in almost every way!
The majority of Apple's software updates have a "detailed explanation" of "Bug Fixes" (although it could be a 4GB file.)

[Kwasiowusu]

Hey Google, what about the spyware youall have in Chrome, which logs ip addresses as well as keyboard strokes and send them to Google, even before one hits enter?

[Jamie_Foster]

Google should follow Microsoft and Mozilla in this regard. It is also disgraceful that Google should use an FOSS license of sorts yet fail to publish the changelog.
Google is worse than MS because they have not had their Wings clipped (yet!) by the EU or DOJ. They behave with no regard for anybody else. In any case they have just taken all Konqueror and Apple work applied a new skin and presented Chrome as a new browser from scratch.
They do not deserve to attract a community like Firefox. They are very secretive and have their own agenda.

[Jamie_Foster]

BTW we all know that Google Search has made them the Gatekeeper of the Internet. But do you want them to be the Gatekeeper to your own PC. Well then it that case, install Chrome, use Gmail, Google Apps, Google Maps, Google Checkout, Picasa, Lively, Orkut etc.
I'm also angry that Chrome doesn't perform a clean uninstall. It leaves crap like Googleupdate.exe in the registry. When you run Chrome there is one or two Googleupdate.exe processes running in the background all the time. This is to update Chrome and other Google Software. But Mozilla don't use that dirty trick.

[cliffroc]

I still use FF3 in iMac with Leopard operating system, laptop with Windows XP Pro and older laptop with Ubuntu 8.04. I never use Microsoft IE 7 for past three years. I also try Google Chrome browser for search and news. I am happy to see that Microsoft HAS to compete, not being lazy monopoly!

[Renegade Knight]

This is a good example of the need to find tune internet access. While I'd want chrome to surf, I may not want it to update. I need to know what wants to connect to the net, what it's connecting to, the purpose for why, etc.

Security doesn't exist if programs don't start fessing up to the Who, What, When, Why, Where, and How.

[smilin:)]

So there was some guy that left MS to work at Google. 4 months later he quit and went back to MS. He had some positive things to say but one of the big impressions that he got was that Google just writes crap software. Anyone there is allowed to throw together a "pretty" project but they have rotten supportability built in and few structured security practices.

Say what you want about MS but when they got their butts handed to them on security they did something about it. When firefox clowned them they did something about it. No player coming into the market in this day and age has an excuse for this sloppiness. The moment I heard google was releasing Chrome I said, "What no day 0 vulnerability?" ... don't give me any "but it's just beta" argument either. Google generally leaves their products in beta until they basically have an RTM like adoption and the users bugtest it. Once everyone is done then they say TA-DA...Version 1.0!!

[Goodbye Helicopter]

Whining about free software?
Back in the days of purchased browsers, you had a reason to complain.

[mattumanu]

I noticed yesterday that my firewall informed me that changes had been made to Google Chrome. I recieved no notification whatsoever. Question: What would stop a malicious attacker from exploiting the stealth update feature in Chrome should a vulnerability exist?

Answer: Nothing.

[i_made_this]

This Just In From Our You-Can-Fool-Some-Of-Them-Some-Of-The-Time Dept.

"One security problem found in Chrome version 0.2.149.27 is a carpet-bombing vulnerability that could help an attacker install malicious software on a user's computer without giving the user a chance to accept or reject the download. Google assigned the problem a top priority."

Indeed, another even more serious security problem found in Chrome (all versions) is that Google can install any software they want including malicious code on all users' computers without giving the user a chance to accept or reject the download. Users assigned the problem a top priority.

[ElMocoLoco]

A couple of things: I tried Chrome and was not impressed. I'm more impressed with FireFox and Internet Explorer 8 Beta (which I'm using right now). I don't complain about free or beta software, so I realize there will be problems and accept the risks. I like to think I'll always use the best software for the task, and will continue to try Chrome, but for now, I'm sticking with IE.

Regarding Google's automatic update, I can't believe they'll get away with that. Big no, no. Kind of like "big brother knows best" attitude. I'm glad they're providing choices, but I don't want to trade one big monopoly who the industry spent years trying to reign in, for another....

[ashkan21]

My version is actually 0.2.149.30. Wonder what was added in this version

[dood1386]

hi
i want to say a big problem about google chrome
this browser is good but when we are downloading a file or more files ,its usual we may close the browser,at this time ,browser will be closed without any warning and our downloads are terminated. i want google to fix this.
thanx to google