Google patches severe Chrome vulnerabilities

Google has fixed two high-severity vulnerabilities in the stable version of its Chrome browser that could have let an attacker remotely take over a person's computer.

With one attack on Google's V8 JavaScript engine, malicious JavaScript on a Web site could let an attacker gain access to sensitive data or run arbitrary code on the computer within a Chrome protected area called the sandbox, Google said in a blog post Tuesday. With the other, a page with XML-encoded information could cause a browser tab crash that could let an attacker run arbitrary code within the sandbox.

Chrome 2.0.172.43 (click to download for Windows) fixes the issues and another medium-severity issue. Once Chrome is installed, it retrieves updates automatically and applies them when people restart the browser.

Google won't release details of the vulnerabilities until "a majority of users are up to date with the fix," Engineering Program Manager Jonathan Conradt said in the blog post.

[RompStar_420]

I like Google search engine and free email, but I am not impressed with this Google Chrome at all.

[Lennron]

Most people aren't. But to be fair, Chrome is still pretty much in its beginning phases.

[slecalvez]

People are impressed by everything Google does, even if it's a peice of crap. They have this Halo around its brand that is amazing.

[Al3d]

hhhmmm kinda of reminds me of another company, I think its name it's apple or something like that

[YankeePoodle]

what would Google and Apple fan boys do? They grapple each others (I will leave the rest to your imaginiation)

[keano12]

Well since I'm not sure what kind of Fanboy Slecalvez is but to be extremely honest, Google Chrome isn't the most impressive browser around but it is the browser making the biggest so far. If your an Apple Fanboy I totally understand why you would hate Google Chrome. Simply, you think your better when your really not so your just really insecure about yourself. If a Microsoft Fanboy, well totally understandable as well as the IE browser is still a pain in the neck now if your just a normal consumer, TAKE A HIKE we don't need you guys here lol :) joke.

[slecalvez]

I'm neither an apple nor a google fan boy. I have no affiliation at all. I can also say I cannot understand how some people were stupified by a phone that had copy/paste until version 3, almost 3 years after it launched. Both of this companies have good products but they have such a powerful branding strategy that a lot of people are drinking the koolaid. Google = innovation? Google.com has changed in the past 10 years... Their page rank, the way the display a boring list of results is the same... yaaaaaaawn.. Oh, but it's ok because it's Google. Sorry.

[knowles2]

Why change what works. They do igoogle to allow people to add stuff to the main search if people wanted it, surprisingly few do.
As for google search results they quick and they work and surprisingly again people like the way it is.
Now I all for change and undoubtedly google will eventually modify the way it displays the result, it already working on the back end they will probably move to the front end afterwards.

[RandyShack]

@Keano12:

Apple users hate Chrome? It and Safari come from the same open source project, namely WebKit. Only the ignorant would expect users of Apple's WebKit based browser to hate Google's WebKit based browser.

[Vegaman_Dan]

I'm still having trouble with the Chrome logo without thinking "Simon."

"Simon is a computer."
"Simon has a brain."
"Do everything that Simon says,"
"Or you'll end up down the drain."

Remember that advertising jingle by Vincent Price? Creepy how it still applies to things like Google, Microsoft, and Apple these days...

[AppleSuxLeo]

Darn...you mean to tell me Google AND Apple also have massive holes in their software ?

[knowles2]

Yeah just like most software, infact all software got holes it just a matter of how hard and how much efforts you want to put into finding those holes.

[AluminumMonster]

*** I was told through the internet that only MS has these kinds of problems???? was i lied to by the internet??? PLZ HELP I threw away all my anti virus programming cause i was using an apple with google chrome.

[FF2009]

Why would you have a Virus program installed on a Mac? or are you being sarcastic? Macs don't need one. Windows do.

[keano12]

And I though mac people were smart, well look on here, another stupid one. Wew FYI for those Apple FEMALE DOGS, the very first Viruses ran on the coding of an Apple and up until now, your just thinking your not infected but you really are. Oh be careful what you guys say, I maybe a hacker tracing your IP address through your service provider to do a drive-by download on a page your visiting and installing to go through a VERY VULNERABLE hole at your port 5098. :)

[Lennron]

@keano12

Touche. I had four friends that all swore to Apple like it was second only to Jesus. One of them got multiple trojans until his Mac barely ran at all anymore. One crashed and all data was unrecoverable. The other got hacked and had plenty of personal info stolen including bank account info. Needless to say, I only have one friend left that's a Mac user, and he's much more cautious now than he used to be.

[goodspeed8701]

I still don't know why I should use anything other than IE8. Its the most secured browser hate it or love it.

[jake3373]

Wow... maybe if you TRIED other browsers like Firefox, Chrome, or Safari, you would see WHY you should ditch IE8.

[spatulate]

*** IE8 is far from the most secure browser! have you heard of firefox?!

[Lennron]

IE8 is very secure actually. The other browsers have fun toys that IE doesn't, but that's the extent of it. I've tried Firefox, Chrome, Safari, Opera, Avant, and others. I've even used those add-ons that are suppose to give you EXTRA protection on a seemingly secure browser, but I get the exact same amount of adware in my weekly malware scans no matter what. Why use a browser that many websites still don't support when you could just use IE8 which is just as safe if not safer and visit every site without problems?

[c|net Reader]

@Lennron

IE8 is not very secure, actually. There are numerous articles from reputable sites (Computerworld, Cnet, etc.) that discuss the in-built vulnerabilities of its design and the lethargy evident in MS' patches to address identifies vulnerabilities.

You won't see a change in the amount of spam and malware you receive in e-mail by switching browsers. Once you're on spammer's lists, you'll get spam for a long time, but that's from sites that sell your e-mail address, for example. A more secure browser will help prevent your getting malware, however.

[Lennron]

@cnet Reader

Yeah, and you find articles from the same reputable sites about vulnerabilities in all the other browsers, making IE8 just as secure.

I didn't just simply change a browser on one computer and continue to get spam on one email address. I'm talking on all my home computers, several computers at work, several different email addresses (work and personal.) No browser does a better job at preventing malware. You browse the internet, you get it, end of story. It's time for people to drop their false sense of security for using a different browser, that's all.

[Hokulea]

Running IE8 in protected mode on Vista is currently the most secure option for MS users. There are quite a few security researchers who have stated this as fact. It blocks more malware than any other browser out there.

However, my primary browser is Firefox 3.5 simply because of Adblock Plus. I hate ads. There is one thing about Fx that I do absolutely loathe, and that is the bookmarks function. It's is such a PITA.

[FutureGuy]

Nothing to see here, anything Google puts out is perfect.
/s

[cbiz21]

I've played with all the browsers.

Before Chrome I used Opera and Firefox.

Now I like Chrome.

If you haven't given it a go you should.

[pwnazs]

i tried everything and chrome is the bestest browser. **** liek ie8 is nowhere from it.

[Lennron]

i know, like, totally for real, right?

[LiAFCipE]

Fail

[damian5000]

Until Chrome has mouse gestures I won't be using it. That being said, we'd be in the dark ages still without google and it's products. They have furthered the internet more than most people can even guess at. MSN and Yahoo are a joke comparatively speaking. On top of all that, their humanitarian pursuits are unparalleled.

[Lennron]

Seriously? I don't hate Google or anything, but have you actually tried Bing? It is like Google Plus Plus Plus. The web search is almost identical, but the image and video search are far more advanced. Not to mention shopping on Bing you can get cash back, and Bing can even tell you when to buy airline tickets at the cheapest rates.
And I don't know about Microsoft's humanitarian pursuits, but the founder Bill Gates' humanitarian has to at least come CLOSE.
I think if Google and Microsoft worked together instead of against each other, we'd all be in a much better place, tech-wise, today.

[pdx777]

No software is 100% secure, there are always going to be bugs, security holes, etc. as long as humans still do the programming, it's always going to be like that. I'm for one am glad that Google has patched the vulnerabilities, and is taking the approach of not releasing information regarding it until most people have upgraded to the newer version. They could of easily have taken the Microsoft approach where they spot a vulnerability, release information about it, and wait a month or 2 before they patch it.

[RandyShack]

Eh? Steve chair thrower "I'm gonna f-ing kill Google" Ballmer ever work together with Google? Not likely here in this world where the sky is blue and the earth is round..

[Hokulea]

@pdx777 When it comes to patching vulnerabilities, Microsoft is actually much better than Apple.

From "Symantec Global Internet Security Threat Report - Trends for 2008 - Volume XIV, Published April 2009":

"Of any browser analyzed in 2008, Apple Safari had the longest window of exposure (the time between the release of exploit code for a vulnerability and a vendor releasing a patch), with a nine-day average; Mozilla browsers had the shortest window of exposure in 2008, averaging less than one day."

"Mozilla browsers were affected by 99 new vulnerabilities in 2008, more than any other browser; there were 47 new vulnerabilities identified in Internet Explorer, 40 in Apple Safari, 35 in Opera, and 11 in Google Chrome."

Secunia - secunia.com/advisories (by product 11 pm MST on Aug. 26, 2009)

Mac OS X vs Vista for 2009 to date:

Apple Mac OS X
Solution Status (Based on 7 advisories from 2009)
Unpatched: 14%
Criticality: Extremely 0%; Highly 71%; Moderately 29%
Remotely Exploitable: 86%

MS Vista
Solution Status (Based on 13 advisories from 2009)
Unpatched: 0%
Criticality: Extremely 0%; Highly 38%; Moderately 38%
Remotely Exploitable: 62%

Mac OS X vs Vista for 2008:

Apple Mac OS X
Solution Status (Based on 12 advisories from 2008)
Unpatched: 0%
Criticality: Extremely 0%; Highly 67%; Moderately 25%
Remotely Exploitable: 92%

MS Vista
Solution Status (Based on 30 advisories from 2008)
Unpatched: 10%
Criticality: Extremely 0%; Highly 27%; Moderately 27%
Remotely Exploitable: 50%

As you can see, Mac OS X has more unpatched vulnerabilities, more highly critical vulnerabilities, and more remotely exploitable vulnerabilities than MS Vista for both 2008 and 2009. If you don't believe me check for yourself. There are facts and there are assumptions. The truth is, MS is doing a pretty good job these days.

[Lennron]

@Hokulea

You do realize that exposing Apple for being the price gouging piece of crap that it really is means you're going to hell, right?
Every nerd in the country will be at your doorstep shortly.

[erenjoey]

somebody tell me what chrome always seems downloading and uploading in background, it makes my computer slow and googleupdate.exe (which is running on startup - even when chrome not running) overloads cpu unnecessarly. what info does google want from my computer..?? I wanna ask people.. (I am not a basic user, I am a developer so i tested it on several systems)

[LiAFCipE]

More or less, Google understands that the best way to keep a browser secure is to remove the need for the user to update the program themselves. Most people I know have never heard of updating their programs, they must believe there is some sort of magical powers that do that "stuff" for them. Recently Google changed the behavior of the updater to run periodically through Windows Task Scheduler rather than constantly having it run in the background hogging system resources.

[abocc327]

is it fixed yet
im currently running 2 fire walls does that protect my vulnerability

[fdunn3]

Sounds like Chromes "sand-boxing" is just a gimmick. I can hardly wait to see the full fledged Chrome OS when they are having so many problems just keeping a web browser secure.

[LiAFCipE]

Thanks Google, but I believe I am going to be sticking with Firefox for the time being

[aitchondo]

Who is the "poor fool" who thinks a Mac doesn't get infected? I'm using my PC right now, Windows Browser, but will be on the Unix shortly, with Firefox. Firefox, believe it or don't, isn't that secure on a regular PC. As for Chrome, some people may like it, like they like the new line of cars out there, but some of us need more... Shelby Cobra rules!