We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Chrome 16 fixes high, medium-risk vulnerabilities

Google pays $6,000 for vulnerabilities found and fixed in Chrome 16

Google has released Chrome 16, a new stable version of its Web browser that addresses 15 high- and medium-risk vulnerabilities.

Four of the security flaws patched in this release stem from errors in Chrome's built-in PDF parser, which is based on Foxit's PDF SDK (software development kit).

Two of them have a medium severity rating and allow attackers to access parts of the system memory that weren't allocated to the program. This can result in the exposure of sensitive information.

The other two allow attackers to execute arbitrary code by tricking victims into opening maliciously crafted PDF files and have a high severity rating.

Other high-risk arbitrary code execution vulnerabilities were identified and fixed in the SVG, range, bidi and internationalized JavaScript handling components. One bug in the view-source feature allows for the address displayed in the URL bar to be spoofed.

In total, there were six high-risk, seven medium-risk and two low-risk vulnerabilities patched in Chrome 16. Seven of them were discovered by Chromium developers and members of the Chrome and Google Security Teams, while the rest were found by external researchers who earned US$6,000 through the Chromium Security Reward program for their reports.

Six vulnerabilities were discovered with the help of an open-source tool called AddressSanitizer, Google Chrome engineer Anthony Laforge said in a blog post.

However, while the arbitrary code execution and unauthorized memory access flaws pose a serious risk in theory, their actual impact is severely reduced by Google Chrome's sandbox.

Sandboxing is an anti-exploitation technology that isolates potentially vulnerable components, like those used for content parsing, from the operating system. These components gain access to system resources through a special brokering process that's easier to keep free of bugs.

As a result, if an attacker exploits, for example, a Chrome PDF handling vulnerability, their actions are restricted to the sandboxed environment and they can't execute arbitrary code on the actual system.

A recent Google-funded study conducted by security consultancy firm Accuvant, determined that Chrome is the most secure browser when compared to Internet Explorer and Firefox. Accuvant's researchers analyzed the anti-exploitation technologies implemented in the three browsers, including process sandboxing, plug-in security, JIT hardening techniques, ASLR, DEP and stack cookies (GS).


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite