RSSMozilla credited with discovering exploitable Google Chrome 2 flaw
By Scott M. Fulton, III | Published August 25, 2009, 4:43 PM
Google is not saying much today about a flaw discovered in the V8 JavaScript engine of its Chrome 2 stable Web browser, one which triggered an update that is being rolled out to Chrome users today. Amid what it is sharing today, however, is a surprising fact: Mozilla Security is being credited with the discovery.
Malicious JavaScript, Google says, can cause the Chrome browser to run arbitrary code, although that code may still be protected by the browser's "sandbox" -- its protected area of memory where running code has no access to system resources. However, it's conceivable that code running within the sandbox could provoke the user (by social means, perhaps by feigning a crash or system bug) to perform an action that may trigger a more damaging process delivered through a different payload, so Google treated the issue with a "High" severity rating.
On the one hand, it's conceivable that Mozilla's security team may be testing other brands of open source browsers for the same possible exploits for which it's testing various releases of Firefox. But a more plausible story is that a derivative of a Firefox bug that had already been reported or discovered by Mozilla's security team, was tried by Mozilla or Google on a Chrome browser, with the same detrimental results.
If that's the case, then the last Firefox bug to match the vague profile that Google's presented thus far is a Firefox 3.0.11 bug found last June 11 by legendary Firefox security contributor moz_bug_r_a4. Now, "chrome" in the Firefox vernacular is a term that predates "Chrome" as Google's browser brand name; Mozilla uses it to refer to the class of code that presents the on-screen appearance and controls for the browser, along with the elevated privilege that JavaScript code is granted to put them there. This way, JavaScript based in Web pages can't change the browser to the same extent that an add-on can.
On the surface, moz_bug_r_a4 had found a JavaScript bug that could lead ordinary code to be executed with "chrome privilege" -- again, nothing to do with Google Chrome, but with the keys to the browser interface being unlocked. More specifically, what he discovered and immediately reported was that a JavaScript object was being created in the middle of data instead of in protected memory, creating the possibility that a reference to a property of that object would move a pointer into that data, maybe triggering a crash or fault, and leaving that pointer open to exploitation and possible code execution.
Google promises to go in-depth about its own V8 JavaScript bug once it's determined that enough Chrome 2 users have installed the update.
Did fixing this make the browser faster or slower? ;)
Score: 0
|"Mozilla Security is being credited with the discovery." Not surprised, after all they have gained much experience of late fixing their own browser. Firefox was in and out of the Mozilla patching shop on a daily basis last month. Good news however is that a new Opera will be ready for prime time probably as soon as Monday, so I say ditch Chrome, ditch Firefox and go Opera.
Score: -1
|Opera is such a great browser. It tends to poorly render pages & crash quite a bit.
Hard to tell it is at v9+ where Firefox is not even at v4 and Fx just plain works.
News Flash!!! Developers patch their browsers.
The amount of times is meaningless as long as the work is done.
Score: 0
|I wouldn't say the credit for Mozilla Security is overly surprising. Browser vendors work together on security a lot behind the scenes. See for example this blog post which details some bi-directional sharing between Google and other browser vendors:
http://googleonlinesecur...b-browser-security.html
Chris Evans, Chrome Security Team
Score: 2
|Wow. Big news. No one has ever found a flaw in browser code before.
Score: 0
|