[Infowarrior] - Google mum on Chrome vuln fixes

Richard Forno rforno at infowarrior.org
Tue Sep 9 00:34:49 UTC 2008


(Note the 1344 update comment about forced autoupdates....who needs a  
backdoor now?  --rf)

September 8, 2008 10:30 AM PDT
Google fixes Chrome vulnerabilities--but won't say which
http://news.cnet.com/8301-1001_3-10035004-92.html


Updated 1:44 p.m. PDT with details that Chrome automatically updates  
itself with no notification or choice for the user.

Google has quietly begun releasing a hastily prepared update to its  
Chrome browser to fix some security problems.

The new version, 0.2.149.29, replaces the 0.2.149.27 that was released  
when Google launched the Chrome beta version last week. Google started  
releasing the update Friday, initially to a small number of users, but  
didn't make much of an announcement about the change.

To check if an update is available, click the wrench icon in  
Chrome's upper-right corner, then select 'about Google  
Chrome.'

"149.29 is a security update and we released it as fast as we could,"  
said Mark Larson, Google Chrome program manager, in a mailing list  
posting on Sunday. "We would've liked more time to prepare things, but  
some of the vulnerabilities were made public without giving us a  
chance to respond, update, and protect our users first. Thanks for  
being patient as we work out the kinks in all of our processes."

However, Google isn't revealing details yet about what security issues  
it's fixed.

"All users have not received the update yet, so we cannot discuss the  
details of the security issues that were addressed, but we plan to  
disclose more information once the update has reached all of our  
user," the company said in a statement Monday.

To check if an update is available, Chrome users can click the wrench  
icon in Chrome's upper-right corner, then select "about Google  
Chrome." That will show both the version number and a message  
indicating whether an update is available.

Google knows best
Without a manual check, Chrome will update itself automatically,  
Google said. "Google Chrome will automatically checks for updates  
approximately every five hours. If an update is available, it will be  
downloaded and applied at the next browser restart," Google said.

Google believes it's best if Chrome applies security updates not only  
without a description of what's changing, but also without an  
opportunity for users to decide whether to accept the patch.

"Users do not get a notification when they are updated...When there  
are security fixes, it's crucial that we update our users as quickly  
as possible in order to keep them safe. Thus, it's important for us to  
not require user intervention," the company said in a statement."There  
are some security fixes that we'll keep quiet because we don't want to  
disclose security vulnerabilities to attackers."

The automatic update policy applies to security and bug fixes. "For  
major version updates, when feature changes are involved, we'll  
explore options for providing users with more details about the  
changes," Google said.

Microsoft and Mozilla encourage users to download and apply updates  
automatically to Internet Explorer and Firefox, respectively, but  
users can chose not to do so.

Automatic updates can cause indigestion in corporations where internal  
administrators often want control over what software is running or not  
for compatibility, security, and other reasons. But browser browser  
vulnerabilities loom larger as more applications move to the Web and  
more people rely on those services, and automatic updates can help nip  
attacks in the bud.

Open-source redactions
Don't look for clues about the vulnerabilities in the Chrome source  
code. The open-source Chromium project has publicly available mailing  
lists and source code, but many recent changes to the code base are  
redacted to show only a blank page rather than the detailed changelog  
notes of other changes.

"Most of the changes are visible, aside from security changes, which  
we must keep private in order to keep users safe," Google said of the  
changelog.

Programming fans also won't be able to glean any insights from the  
Chrome update plug-in, which is proprietary.

"We use this updater and the server architecture it interfaces with to  
update across many of our products, some of which are not open  
source," Google said. "It's not that we are trying to hide anything;  
rather, it's just that this update infrastructure is not intended to  
be used by others who may distribute their own versions of the browser  
based on Chromium code."

Reported vulnerabilities

One security problem found in Chrome version 0.2.149.27 is a carpet- 
bombing vulnerability that could help an attacker install malicious  
software on a user's computer without giving the user a chance to  
accept or reject the download. Google assigned the problem a top  
priority.

Another reported issue in Chrome 0.2.149.27 is a buffer overrun that  
could allow an attacker to run arbitrary code on a user's computer and  
thereby take control of it, according to Bach Khoa Internet Security.

The company was willing to discuss some other details about the  
update, though. For one thing, the company updated a JavaScript  
problem that could cause problems using Facebook. For another, it  
fixed a problem that would crash the entire browser if a person typed  
"about:%" into the address bar. Google called the problem "non- 
exploitable, but very annoying," reflecting the removal of the  
"security" label from the bug report.



More information about the Infowarrior mailing list