Google patches 6 serious Chrome bugs
And adds more entries to Chrome's SSL certificate blacklist as Comodo break-in makes news
Computerworld - Google on Thursday patched six vulnerabilities in Chrome, and as usual, silently updated users' copies of the browser.
The update to Chrome 10.0.648.204 also included two more entries to the browser's blacklist, a move related to last week's theft of nine digital certificates from a Comodo reseller.
All six bugs were rated "high," Google's second-most-serious ranking in its threat scoring system. Of the half-dozen bugs, two were "use after free" flaws -- a type of memory management bug that can be exploited to inject attack code -- while a second pair were pegged by Google as "stale pointer" vulnerabilities, another kind of memory allocation flaw.
As is Google's practice, the company locked down its bug-tracking database, blocking access to the technical details of the patched vulnerabilities. Google usually unlocks the bug entries several weeks, sometimes months later, to give users time to update before the information goes public.
Google paid out $8,500 in bounties to three different researchers for finding and reporting the six vulnerabilities. So far this year, Google has cut bounty checks totaling $58,145.
Frequent-contributor Sergey Glazunov took home $7,000 for reporting four of the bugs patched Thursday, bringing his 2011 bounty total to $20,634. Glazunov has become the most prolific of the independent researchers who specialize in rooting out Chrome flaws, reporting 14 of the 54 bugs attributed to outsiders.
Yesterday was the sixth time Google patched security vulnerabilities in its browser this year.
Google said the update also added support for the browser's password manager on Linux, and included performance and stability fixes. According to the Chrome change list, it also blacklisted more SSL (secure socket layer) certificates, the digital certificates that encrypt traffic between users and sites. Those new entries appeared to be for reissues of certificates originally blacklisted by Google on March 17.
The additions to the SSL blacklist are connected to last week's theft of several certificates from a Comodo reseller, an event that prompted Comodo to revoke the stolen certificates. Since then, Google, Mozilla and Microsoft have each issued updates -- Google was the first off the mark -- to block the certificates and warn users if they tried to connect to fake sites.
Comodo has cited circumstantial evidence that points to Iran, perhaps the Iranian government, being involved in the certificate theft.
Chrome 10 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts