Google has fixed two high-severity vulnerabilities in the stable version of its Chrome browser that could have let an attacker remotely take over a person's computer.
With one attack on Google's V8 JavaScript engine, malicious JavaScript on a Web site could let an attacker gain access to sensitive data or run arbitrary code on the computer within a Chrome protected area called the sandbox, Google said in a blog post Tuesday. With the other, a page with XML-encoded information could cause a browser tab crash that could let an attacker run arbitrary code within the sandbox.
Chrome 2.0.172.43 (click to download for Windows) fixes the issues and another medium-severity issue. Once Chrome is installed, it retrieves updates automatically and applies them when people restart the browser.
Google won't release details of the vulnerabilities until "a majority of users are up to date with the fix," Engineering Program Manager Jonathan Conradt said in the blog post.
Satisfied that its security underpinnings are solid, Google has promoted its open-source Native Client technology to accelerate Web applications out of its research phase and is taking steps to build it into the Chrome Web browser.
"Based on our experience to date, we believe that the basic architecture of our system is sound and the implementation is supportable. So now we are undertaking a number of tasks to transition Native Client from a research technology to a development platform," said Brad Chen, Google's Native Client engineering manager, in a mailing list announcement Wednesday.
Brad Chen, engineering manager of the Google Native Client
(Credit: Stephen Shankland/CNET)Native Client, called NaCl for short, is a mechanism to run software downloaded over the Web directly on x86 processors such as Intel's Core line. The key motivation is to attain the speed of regular "native" software installed on a computer rather than the much slower JavaScript environment that sophisticated Web sites use today. It's one part of Google's broad effort to evolve the Web from a collection of relatively static sites into foundation for more powerful applications.
Executing native code from the Web is easy--until you start trying to worry about security risks. To this end, Native Client examines software before it runs to block software that takes a variety of prohibited actions, an idea called static analysis, and it runs the software in a protected sandbox.
"We recognized the underlying technology to be ambitious and risky, and felt strongly than a generous measure of public scrutiny was appropriate before we committed to any definite plans," Chen said. Satisfied that Native Client passed muster, Google will remove various security constraints such as the inability to execute Native Client software downloaded from the open Internet, he said.
Native Client was first introduced in December a browser plug-in, but Google doesn't like that approach.
"We recognize that there is well-justified resistance to installing browser plug-ins. For this reason we have a strong preference for delivering Native Client pre-installed or built into the browser, and we'll be focusing on that as our main strategy for delivering Native Client to users," Chen said.
And now we see one reason why Google is interested having a browser of its own available: "Careful readers may have already noticed evidence of integration into Chromium in the Native Client source," Chen said, referring to the open-source project that underlies the Chrome browser.
Google touted Native Client at its Google I/O conference in May, showing off a Web-based photo editor as an example of the processing power the technology offers. Google also is trying to pair Native Client with another company project, O3D, which lets browsers take advantage of hardware to accelerate 3D graphics.
Security firm Websense has put out an advisory warning Web site owners about malicious code that redirects surfers to seemingly safe sites.
About 40,000 Web sites appear to have been compromised with rogue JavaScript code that redirects Web surfers to a fake Google Analytics site, after which they get passed onto a site that tries to exploit Internet Explorer or Firefox vulnerabilities to infect that PC with malware, according to a Websense researcher quoted by Computerworld. Just for good measure, if the site can't find a browser vulnerability, it tries to trick the user into downloading a Trojan.
It's not clear how the sites were compromised, but Computerworld reported the redirect sites are being hosted in the Ukraine, implying that the Russian Business Network is behind the threat.
This is a separate scam from the Gumblar attack that made the rounds last week, according to Websense.
Even at the cutting edge of cloud computing, Web-based applications can be frustrating to write and to use.
Spreadsheets can't sort data well, there are lags between mouse clicks and the program's response, graphics look Mickey Mouse rather than lavish. But Google, among the most aggressive cloud computing advocates, is trying to address some of those shortcomings.
The company has released experimental but still very much real software that brings in some of the power of the PC, where people often use Web applications. Google Native Client--first released in 2008 but updated with a new version Thursday--is a browser plug-in for securely running computationally intense software downloaded from a Web site. And on Tuesday, Google released O3D, a plug-in that lets Web-based applications tap into a computer's graphics chip, too.
The projects are rough around the edges, to say the least. Native Client--NaCl for short--is more security research project than usable programming foundation right now, and O3D exists in part to try to accelerate the arrival of some future, not necessarily compatible, standard for building 3D abilities into Web applications.
Google Native Client is shown here running a fractal landscape explorer.
(Credit: Google)But both fundamentally challenge the idea that Web apps necessarily are stripped-down, feeble counterparts to the software that runs natively on a personal computer, and they come from a company that has engineering skill, a yen for moving activity to the Internet, and search-ad profits that can fund projects that don't immediately or directly make money.
"There are things you can do in desktop apps that you can't do in Web apps. We're working very hard to close that gap, so anything you can do in a desktop application you can do safely and securely from a Web application," said Linus Upson, a Google engineering director.
... Read moreTo the short list of life's certainties--death and taxes--we can now add "Web threats."
Early indications are that there will be no quick fix for clickjacking, which enables a PC to be infected with malicious software simply by clicking a disguised link on a Web page. All browsers are equally vulnerable, and there appears to be no sure solution, at least in the short term. Even disabling JavaScript and other advanced Web features won't prevent an infection.
Does this mean you should cancel your broadband account and dig out the ham radio? I don't recommend it. In fact, reports such as these show the folly of believing that our Web browsing is ever completely safe. No hardware or software will ever be 100 percent secure.
Yes, keep your antivirus definitions up-to-date. Yes, use a firewall. Download and install Giorgio Maone's NoScript extension for Firefox (donation requested) to gain site-by-site control over the scripts that run in the browser.
But even these precautions are no substitute for common sense. Be careful about the sites you visit and the links you click. View your e-mail as plain text; Microsoft's support site provides instructions for doing so in Outlook 2003 and 2007. In Mozilla Thunderbird, simply click View, Message Body As, Plain Text.
Last, but definitely not least, every PC user must acknowledge that the day will dawn when their system crashes for good--whether due to a malware attack or (more likely) a hardware or software failure. Keep your data backed up. In addition to creating an image backup of your hard drive once or twice a year, using a program such as Acronis' $50 True Image Home (15-day free trial), use an online backup service to keep your important data files fresh.
Earlier today, Google was keeping mum about a three-day-old security fix to its Chrome browser, but now the company has revealed details of two critical-risk vulnerabilities and some lesser issues it says are fixed.
The critical patches relate to buffer overrun vulnerabilities that could have let a remote attacker execute arbitrary software on a Chrome user's computer, said Mark Larson, a Google Chrome program manager, in a mailing list posting Monday afternoon. The first patch fixed a vulnerability in handling long file names, called the SaveAs vulnerability, and the second a vulnerability in dealing with the Web site addresses displayed in Chrome's status area when the user hovers over a link.
An update to Google Chrome means the browser now can head off a particular technique that previously could crash the browser.
(Credit: Stephen Shankland/CNET News)Larson also established a Google Chrome Releases blog for announcements and release notes relating to Chrome. The company had said earlier it was working on a way to release that information, in part after people requested such notes well after Google started automatically updating Chrome browsers without saying what exactly was in the update.
Google fixed two lesser security issues, too. First was an issue in which typing "about:%" in the address bar could crash the computer. The problem also meant that a Web page with that text as a hyperlink could crash the browser if a user hovered the mouse pointer over the link. Second was to prevent the user's desktop from being the default download directory to mitigate "the risk of malicious cluttering of the desktop with unwanted downloads, which can lead to executing unwanted files," Larson said.
Other fixes addressed non-security issues: a JavaScript problem with Facebook; a problem suggesting search terms while using various Web sites; and some data-transer issues with the Safe Browsing mode.
Updated 1:44 p.m. PDT with details that Chrome automatically updates itself with no notification or choice for the user.
Google has quietly begun releasing a hastily prepared update to its Chrome browser to fix some security problems.
The new version, 0.2.149.29, replaces the 0.2.149.27 that was released when Google launched the Chrome beta version last week. Google started releasing the update Friday, initially to a small number of users, but didn't make much of an announcement about the change.
To check if an update is available, click the wrench icon in Chrome's upper-right corner, then select 'about Google Chrome.'
(Credit: Josh Lowensohn/CNET News)"149.29 is a security update and we released it as fast as we could," said Mark Larson, Google Chrome program manager, in a mailing list posting on Sunday. "We would've liked more time to prepare things, but some of the vulnerabilities were made public without giving us a chance to respond, update, and protect our users first. Thanks for being patient as we work out the kinks in all of our processes."
However, Google isn't revealing details yet about what security issues it's fixed.
"All users have not received the update yet, so we cannot discuss the details of the security issues that were addressed, but we plan to disclose more information once the update has reached all of our user," the company said in a statement Monday.
To check if an update is available, Chrome users can click the wrench icon in Chrome's upper-right corner, then select "about Google Chrome." That will show both the version number and a message indicating whether an update is available.
Google knows best
Without a manual check, Chrome will update itself automatically, Google said. "Google Chrome will automatically checks for updates approximately every five hours. If an update is available, it will be downloaded and applied at the next browser restart," Google said.
Google believes it's best if Chrome applies security updates not only without a description of what's changing, but also without an opportunity for users to decide whether to accept the patch.
"Users do not get a notification when they are updated...When there are security fixes, it's crucial that we update our users as quickly as possible in order to keep them safe. Thus, it's important for us to not require user intervention," the company said in a statement."There are some security fixes that we'll keep quiet because we don't want to disclose security vulnerabilities to attackers."
The automatic update policy applies to security and bug fixes. "For major version updates, when feature changes are involved, we'll explore options for providing users with more details about the changes," Google said.
Microsoft and Mozilla encourage users to download and apply updates automatically to Internet Explorer and Firefox, respectively, but users can chose not to do so.
Automatic updates can cause indigestion in corporations where internal administrators often want control over what software is running or not for compatibility, security, and other reasons. But browser browser vulnerabilities loom larger as more applications move to the Web and more people rely on those services, and automatic updates can help nip attacks in the bud.
Open-source redactions
Don't look for clues about the vulnerabilities in the Chrome source code. The open-source Chromium project has publicly available mailing lists and source code, but many recent changes to the code base are redacted to show only a blank page rather than the detailed changelog notes of other changes.
"Most of the changes are visible, aside from security changes, which we must keep private in order to keep users safe," Google said of the changelog.
Programming fans also won't be able to glean any insights from the Chrome update plug-in, which is proprietary.
"We use this updater and the server architecture it interfaces with to update across many of our products, some of which are not open source," Google said. "It's not that we are trying to hide anything; rather, it's just that this update infrastructure is not intended to be used by others who may distribute their own versions of the browser based on Chromium code."
Reported vulnerabilities
One security problem found in Chrome version 0.2.149.27 is a carpet-bombing vulnerability that could help an attacker install malicious software on a user's computer without giving the user a chance to accept or reject the download. Google assigned the problem a top priority.
Another reported issue in Chrome 0.2.149.27 is a buffer overrun that could allow an attacker to run arbitrary code on a user's computer and thereby take control of it, according to Bach Khoa Internet Security.
The company was willing to discuss some other details about the update, though. For one thing, the company updated a JavaScript problem that could cause problems using Facebook. For another, it fixed a problem that would crash the entire browser if a person typed "about:%" into the address bar. Google called the problem "non-exploitable, but very annoying," reflecting the removal of the "security" label from the bug report.
- prev
- 1
- next
