Tuesday, August 25, 2009

Stable Update: Security fixes


Google Chrome 2.0.172.43 has been released to the Stable channel to fix the security issues listed below.

CVE-2009-2935 Unauthorized memory read from Javascript

A flaw in the V8 Javascript engine might allow specially-crafted Javascript on a web page to read unauthorized memory, bypassing security checks. It is possible that this could lead to disclosing unauthorized data to an attacker or allow an attacker to run arbitrary code.

More infohttp://code.google.com/p/chromium/issues/detail?id=18639 (This issue will be made public once a majority of users are up to date with the fix.)

SeverityHigh.  An attacker might be able to run arbitrary code within the Google Chrome sandbox.

Credit: This issue was found by Mozilla Security.

Mitigations:
  • A victim would need to visit a page under an attacker's control.
  • Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.

Security Fix: Treat weak signatures as invalid


Google Chrome no longer connects to HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms. These algorithms are considered weak and might allow an attacker to spoof an invalid site as a valid HTTPS site. 

More infohttp://code.google.com/p/chromium/issues/detail?id=18725 (This issue will be made public once a majority of users are up to date with the fix.)

Severity: Medium Further advances in attacks against weak hashing algorithms may eventually permit attacks to forge certificates.

Credit:  Dan Kaminsky, Director of Penetration Testing, IOActive Inc., Meredith Patterson and Len Sassaman. See their paper at http://www.ioactive.com/pdfs/PKILayerCake.pdf


CVE-2009-2414  Stack consumption vulnerability in libxml2


Pages using XML can cause a Google Chrome tab process to crash. A malicious XML payload may be able to trigger a use-after-free condition. Other tabs are unaffected.

More info: See the CVE entries noted in this report.

SeverityHigh An attacker might be able to run arbitrary code within the Google Chrome sandbox.

Credit: Original discovery by Rauli Kaksonen and Jukka Taimisto from the CROSS project at Codenomicon Ltd. The Google Chrome security team determined that Chrome was affected.

Mitigations:
  • A victim would need to visit a page under an attacker's control.
  • Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
Jonathan Conradt
Engineering Program Manager

11 comments:

javkov said...

When is going to be stable chrome v3

Borsa said...

thanx for this nice blog and please let me take a copy to my site

البورصة المصرية

منتديات البورصة المصرية

منتدى البورصة السعودية | سوق الأسهم السعودى

تجارة عملات | فوركس | تجارة العملات | تداول عملات | Forex

saptarshi said...

What about the Dev release? I am using v 4.0.202.0

vijju said...

I thought chrome will never have such serious flaws, given the detailed comic style documentation / introduction for chrome about sandboxes and this and that.

Chris said...

@vijju: thanks for bringing up sandboxing. These bugs are not rated "Critical" precisely because of the existence of the sandbox.

Chris Evans, Chrome Security Team

Wilson said...

I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


Susan

http://3128proxy.com

Götz said...

Come on... please remove that SPAM comments.

And thanks for the updates!

Spencer said...

Why is Issue 18639 Forbidden?!

Fabio Turati said...

Because that issues contains a description of the bug, which might be useful to prepare an exploit. Not everybody updates/uses Chrome every day, which means that there are still some people using the old, vulnerable version. Hiding the description of the bug is a way to protect those people. Once the majority of Chrome users have updated, the danger of somebdy exploiting the bug becomes irrelevant, and the issue can be made public.

It's true that this bug lets an attacker run code inside the sandbox, which means it's substantially harmless... Still, it's better to avoid it. After all, the only drawback is that if you want to satisfy your curiosity you'll have to wait for a couple of days, which is nothing terrible.

poll said...

You share valuable information and excellent design you got here! I would like to thank you for sharing your thoughts and time into the stuff you post!! Thumbs up. Please come visit my site Philadelphia Yellow Page Business Directory when you got time.

poll said...

I was thinking of looking up some of them newspaper websites, but am glad I came here instead. Although glad is not quite the right word… let me just say I needed this after the incessant chatter in the media, and am grateful to you for articulating something many of us are feeling - even from distant shores. Please come visit my site San Antonio Yellow Page Business Directory when you got time.