RSSGoogle addresses its own security bugs in Chrome stable release update
By Scott M. Fulton, III | Published July 17, 2009, 5:46 PM
The stable channel for Google's Chrome Web browser (Chrome 2) has not seen a lot of action in recent weeks, perhaps indicating just how stable it has been. But a pair of exploitable defects that Google's engineers rate as "high" and "critical" have prompted the company to issue an automatic update to its deployed Chrome 2 Web browsers, beginning after midnight last night.
Although code running in Chrome is supposed to be tightly sandboxed, as engineers admitted very early this morning, the possibility existed for a maliciously crafted regular expression (RegEx, used in local searches) to generate a heap overflow, creating a situation where arbitrary code could be executed without the need for privilege. That was the "high" problem, which could lead to the ability to trigger the "critical" problem: An already compromised browser could then be maliciously maneuvered into allocating inordinately colossal memory buffers, thus slowing down the computer (denial of service) and possibly crashing the browser along the way.
Betanews tested the latest version 2.0.172.37 in Windows XP Professional SP3 (which seems to be Chrome's favorite platform of late) to determine any evidence of a performance hit. Benchmarks running regular expression tests did run about 3.4% more slowly on average than for build 2.0.172.33 -- a very acceptable performance hit for added security.
At present, there's no evidence that working exploits of these conditions were ever tested in the field -- they appear to have been just as much news to folks who try cracking browsers, as to anyone else.
I am not impressed if chrome runs faster. Given that they start from scratch, not needing to support any backward compatibility, it should run faster than older browsers that's been out for more than 10 years.
Score: 0
|A fictional conversation between Google and bugs:
Google- " Hey, can't we just be friends and all work together"
Bugs: "looking up then down..chomp..chomp...chomp
Google: :c'mon. if you behave, we'll give you some apple pie."
Bugs" "Apple pie?? chomp..chomp...chomp
Google: "we have a new build and you can either be a part of this great collaborative work or not"
Bugs: "chomp..chomp..chomp..
Google" Smack..I think some went under the frig.
Google Intern: "that's ok..we'll get them with the next build."
Bus (in background): chomp....chomp....chomp..new build?....chomping faster and laughing.
Fade to black
Score: 0
|My top reason for hating Chrome: Version and build number not clearly mentioned before download, installer not directly downloadable as the link is "hidden".
Score: -1
|Unless the Security hole is on a Microsoft Product. It's NO NEWS. Nobody cares. Only Microsoft get's bashed for security bugs. Anybody else (linux, Apple, Firefox, Chrome...you name it) can patch whatever they want anytime they want...it works as just another proof the Microsoft has security problems in their products!!!. It has come down to that...
Score: 0
|Chrome sucks!!!
Score: -1
|and Safari is mediocre at best
Score: 0
|Your spell checker needs to be fixed. There is no such word as "get's"--get is, get us? Probably not.
The fact that they're mentioning Chrome needing a security update is plenty. Microsoft is bashed regularly because they have the bugs and don't fix them timely or properly and (usually) neither does Apple and they're bashed regularly. Mozilla takes care of their security issues quickly and carefully.
Score: 0
|Get your statistics straight first before you claim that Microsoft takes longer to patch. That is absolutely false. Microsoft just gets more bashed and more publicity that's why YOU THINK it takes longer to patch.
Score: 0
|Got to love Chrome, heck it had fixed my version before I knew it even needed fixing, something Firefox has never been able to say. But then again Firefox has needed to fix more things than any other browser over the last few months.
Score: 0
|Google addresses its own security bugs in Chrome stable release update.
Is that something like "Naval Intelligence" ? LOL
Score: -1
|Such a really wonderful information all of user i am really impress your post
http://www.goarticles.co...bin/showa.cgi?C=1774265
Score: 0
|"Benchmarks running regular expression tests did run about 3.4% more slowly on average than for build 2.0.172.33 -- a very acceptable performance hit for added security."
...you do realize applying that same percentage to IE security updates, it would be operating about 600084572% more slo...oh, wait. It is. ;)
Score: 0
|