[Infowarrior] - Google mum on Chrome vuln fixes
Richard Forno
rforno at infowarrior.org
Tue Sep 9 00:34:49 UTC 2008
(Note the 1344 update comment about forced autoupdates....who needs a
backdoor now? --rf)
September 8, 2008 10:30 AM PDT
Google fixes Chrome vulnerabilities--but won't say which
http://news.cnet.com/8301-1001_3-10035004-92.html
Updated 1:44 p.m. PDT with details that Chrome automatically updates
itself with no notification or choice for the user.
Google has quietly begun releasing a hastily prepared update to its
Chrome browser to fix some security problems.
The new version, 0.2.149.29, replaces the 0.2.149.27 that was released
when Google launched the Chrome beta version last week. Google started
releasing the update Friday, initially to a small number of users, but
didn't make much of an announcement about the change.
To check if an update is available, click the wrench icon in
Chrome's upper-right corner, then select 'about Google
Chrome.'
"149.29 is a security update and we released it as fast as we could,"
said Mark Larson, Google Chrome program manager, in a mailing list
posting on Sunday. "We would've liked more time to prepare things, but
some of the vulnerabilities were made public without giving us a
chance to respond, update, and protect our users first. Thanks for
being patient as we work out the kinks in all of our processes."
However, Google isn't revealing details yet about what security issues
it's fixed.
"All users have not received the update yet, so we cannot discuss the
details of the security issues that were addressed, but we plan to
disclose more information once the update has reached all of our
user," the company said in a statement Monday.
To check if an update is available, Chrome users can click the wrench
icon in Chrome's upper-right corner, then select "about Google
Chrome." That will show both the version number and a message
indicating whether an update is available.
Google knows best
Without a manual check, Chrome will update itself automatically,
Google said. "Google Chrome will automatically checks for updates
approximately every five hours. If an update is available, it will be
downloaded and applied at the next browser restart," Google said.
Google believes it's best if Chrome applies security updates not only
without a description of what's changing, but also without an
opportunity for users to decide whether to accept the patch.
"Users do not get a notification when they are updated...When there
are security fixes, it's crucial that we update our users as quickly
as possible in order to keep them safe. Thus, it's important for us to
not require user intervention," the company said in a statement."There
are some security fixes that we'll keep quiet because we don't want to
disclose security vulnerabilities to attackers."
The automatic update policy applies to security and bug fixes. "For
major version updates, when feature changes are involved, we'll
explore options for providing users with more details about the
changes," Google said.
Microsoft and Mozilla encourage users to download and apply updates
automatically to Internet Explorer and Firefox, respectively, but
users can chose not to do so.
Automatic updates can cause indigestion in corporations where internal
administrators often want control over what software is running or not
for compatibility, security, and other reasons. But browser browser
vulnerabilities loom larger as more applications move to the Web and
more people rely on those services, and automatic updates can help nip
attacks in the bud.
Open-source redactions
Don't look for clues about the vulnerabilities in the Chrome source
code. The open-source Chromium project has publicly available mailing
lists and source code, but many recent changes to the code base are
redacted to show only a blank page rather than the detailed changelog
notes of other changes.
"Most of the changes are visible, aside from security changes, which
we must keep private in order to keep users safe," Google said of the
changelog.
Programming fans also won't be able to glean any insights from the
Chrome update plug-in, which is proprietary.
"We use this updater and the server architecture it interfaces with to
update across many of our products, some of which are not open
source," Google said. "It's not that we are trying to hide anything;
rather, it's just that this update infrastructure is not intended to
be used by others who may distribute their own versions of the browser
based on Chromium code."
Reported vulnerabilities
One security problem found in Chrome version 0.2.149.27 is a carpet-
bombing vulnerability that could help an attacker install malicious
software on a user's computer without giving the user a chance to
accept or reject the download. Google assigned the problem a top
priority.
Another reported issue in Chrome 0.2.149.27 is a buffer overrun that
could allow an attacker to run arbitrary code on a user's computer and
thereby take control of it, according to Bach Khoa Internet Security.
The company was willing to discuss some other details about the
update, though. For one thing, the company updated a JavaScript
problem that could cause problems using Facebook. For another, it
fixed a problem that would crash the entire browser if a person typed
"about:%" into the address bar. Google called the problem "non-
exploitable, but very annoying," reflecting the removal of the
"security" label from the bug report.
More information about the Infowarrior
mailing list