Tuesday, May 5, 2009

Stable Update: Security Fix

Google Chrome's Stable channel has been updated to version 1.0.154.64 to fix two security issues discovered by internal Google testing.

This release also contains
  • A new notification at startup that makes it easier to set Google Chrome as the default browser. If you don't want Google Chrome to be the default browser, you can click 'Don't ask again'.
  • A new version of Gears (0.5.16.0)
Security Fixes

CVE-2009-1441: Input validation error in the browser process.
A failure to properly validate input from a renderer (tab) process could allow an attacker to crash the browser and possibly run arbitrary code with the privileges of the logged on user. To exploit this vulnerability, an attacker would need to be able to run arbitrary code inside the renderer process.


Severity: Critical. An attacker might be able to run code with the privileges of the logged on user.

Mitigation: An attacker would need to be able to run arbitrary code in the renderer process.



CVE-2009-1442: Integer overflow in Skia 2D graphics.
A failure to check the result of integer multiplication when computing image sizes could allow a specially-crafted image or canvas to cause a tab to crash and it might be possible for an attacker to execute arbitrary code inside the (sandboxed) renderer process.


Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.

Mitigations:
  • A victim would need to visit a page under an attacker's control.
  • Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
Mark Larson
Google Chrome Program Manager

9 comments:

fastharry™ said...

Hi Mark,

I just DL'd the newest version listed here, and it has crashed more in the last 2 hours than 154 did in 2 weeks...

Tom said...

I have this latest version with no problems, thanks. Any timeframe on when the first 2.0 stable release will come?

Sim said...

current 2.0 version is very stable. I use it every day.

fastharry™ said...

is it possible to keep using 164, and have 2.0 on the pc at the same time so I can try both?..

Amakkavu said...

Until and unless Google Chrome improves upon IE and Firefox in features and facilities, it will be treated as an also ran.

Steve said...

Did I miss something, or every time I run Google Chrome have I got to explicitly go Menu -> Tools -> About to see if it is up to date or I am running a version with big security hole in it? Could it not check for itself at startup - like, um, Firefox?

fastharry™ said...
This comment has been removed by the author.
fastharry™ said...

you know, the funny part is, there have been articles lately on engadget and such, about how people using "auto" updating browsers( like firefox) are less prone to getting malware and all...and they also listed Chrome as self updatind for security fixes...and I'm like, HOW?..when you manually have to check....

BTW, guess I wasn't wrong with my first post about crashing upon updating to 164....was I Tom?..

165 now runs great...

Sarthak said...

A good security release for google chrome.
It has no issues at all.
Wow ...i like the browser.