Google patches critical Chrome bugs

From InfoWorld: Google on Tuesday patched several vulnerabilities in Chrome, including two a French security company said could be used to bypass the browser's anti-exploit technology.

But Chrome 11.0.696.71, which Google rolled out yesterday to users via its automatic update mechanism, does not patch the flaw that Vupen researchers said earlier this month could be exploited on Windows 7.

Tuesday's security update was the second for the Chrome "stable" build -- the most polished version of the browser -- this month.

Google fixed four vulnerabilities in the update, including two rated "critical," the category typically reserved for bugs that may let an attacker escape Chrome's "sandbox." Google has patched five critical bugs so far this year.

One of the remaining pair of flaws was ranked "high" -- and got the researcher who reported it a $1,000 bug bounty -- while the other was labeled "low" on Google's four-step threat scoring system.

The two critical vulnerabilities were credited to Google's own security engineers.

Although Google declined to confirm that the two most serious bugs could be used by attackers to break out of the Chrome sandbox, and thus plant malicious code on the computer, French security firm Vupen said that that was likely.

View: Article @ Source Site