Monday, October 12, 2009 | 16:02
Labels:
Beta updates,
Stable updates
Both the beta and stable channel have been updated to 3.0.195.27 and contain the following fixes:
- Fixed an issue where menu items for certain Indian languages were not properly visible. (Issue: 18042)
- Add support to blacklist the faux www.paypal.com certificate. (Issue:24038)
- Added NTLMv2 support on Windows. (Issue: 14206)
- FFmpeg files now properly have NX/DBCompat enabled. (Issue: 23189 - Will be made public once this release is fully deployed)
- V8 crash fix. (Issue: 22913)
Anthony Laforge
Google Chrome Program Manager
Monday, October 5, 2009 | 13:24
Labels:
Beta updates,
Stable updates
The beta and stable channels have been updated to 195.25. This release includes only a single change that adds an image link to the new tab page which directs new users to the themes gallery.
Anthony Laforge
Google Chrome Program Manager
Wednesday, September 30, 2009 | 14:01
Labels:
Stable updates
3.0.195.24 has been promoted to the stable channel. There are no additional fixes or changes in this release.
Security Fixes:
CVE-2009-0689 dtoa() error parsing long floating point numbers
The v8 engine uses a common dtoa() implementation to parse strings into floating point numbers. We have applied a patch to fix a recent bug in this component.
Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.
Credit: Original discovery by Maksymilian Arciemowicz of SecurityReason. The Google Chrome security team determined that Chrome was affected.
Mitigations:
- A victim would need to visit a page under an attacker's control.
- Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
Tuesday, September 15, 2009 | 09:59
Labels:
Stable updates
3.0.195.21 has graduated from Beta to the Stable channel today.
This release includes themes support, a brand new New Tab page, an updated omnibox, support for audio and video tags, and a higher performing V8 engine.
You can read more about it here.
Anthony Laforge
Google Chrome Program Manager
Security Fixes:
We would like to extend special thanks to Will Dormann of CERT for working with us to improve the security of the new audio and video codecs in this release.
CVE-2009-XXXX Content-Type: application/rss+xml being rendered as active content
Previously, we rendered RSS and Atom feeds as XML. Because most other browsers render these documents with dedicated feed previewers, some web sites do not sanitize their feeds for active content, such as
JavaScript. In these cases, an attacker might be able to inject JavaScript into a target web site.
More info: http://code.google.com/p/chromium/issues/detail?id=21238
(This issue will be made public once a majority of users are up to date with the fix.)
Severity: Medium. Most web sites are not affected because they do not include untrusted content in RSS or Atom feeds.
Credit: Inferno of SecureThoughts.com
Mitigations:
- A victim would need to visit a page under an attacker's control.
- The target web site would need to let the attacker inject JavaScript into an RSS or an Atom feed.
CVE-2009-XXXX Same Origin Policy Bypass via getSVGDocument() method
The getSVGDocument method was lacking an access check, resulting in a cross-origin JavaScript capability leak. A malicious web site operator could use the leaked capability to inject JavaScript into a target web site hosting an SVG document, bypassing the same-origin policy.
More info: http://code.google.com/p/chromium/issues/detail?id=21338
(This issue will be made public once a majority of users are up to date with the fix.)
Severity: High
Credit: Isaac Dawson
Mitigations:
- A victim would need to visit a page under an attacker's control.
- The target web site would need to host an SVG document.
Tuesday, August 25, 2009 | 09:58
Labels:
Stable updates
Google Chrome 2.0.172.43 has been released to the Stable channel to fix the security issues listed below.
CVE-2009-2935 Unauthorized memory read from Javascript
A flaw in the V8 Javascript engine might allow specially-crafted Javascript on a web page to read unauthorized memory, bypassing security checks. It is possible that this could lead to disclosing unauthorized data to an attacker or allow an attacker to run arbitrary code.
Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.
Credit: This issue was found by Mozilla Security.
Mitigations:
- A victim would need to visit a page under an attacker's control.
- Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
Security Fix: Treat weak signatures as invalid
Google Chrome no longer connects to HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms. These algorithms are considered weak and might allow an attacker to spoof an invalid site as a valid HTTPS site.
Severity: Medium. Further advances in attacks against weak hashing algorithms may eventually permit attacks to forge certificates.
CVE-2009-2414 Stack consumption vulnerability in libxml2
Pages using XML can cause a Google Chrome tab process to crash. A malicious XML payload may be able to trigger a use-after-free condition. Other tabs are unaffected.
More info: See the CVE entries noted in this report.
Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.
Credit: Original discovery by Rauli Kaksonen and Jukka Taimisto from the CROSS project at Codenomicon Ltd. The Google Chrome security team determined that Chrome was affected.
Mitigations:
- A victim would need to visit a page under an attacker's control.
- Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
Jonathan Conradt
Engineering Program Manager
Thursday, July 16, 2009 | 11:42
Labels:
Beta updates,
Stable updates
[Update: Added CVE numbers for the security issues. --mal@chromium.org, 21 July 2009]
Google Chrome 2.0.172.37 has been released to the Beta and Stable channels. This release fixes some minor bugs:
- Fix: Solving captcha images broken at orkut.com. (Issue 15569)
- Make forward/backward navigation work even when redirection is involved. (Issue 9663, issue 10531)
- Fix: Daylight savings time not recognized for some CET locales. (Issue 12579)
- Fix a browser crash on closing a URL request. (Issue 8942)
- Update the V8 Javascript engine to version 1.1.10.14 to fix issues with regular expressions.
- Update Gears to the latest release, 0.5.25.0.
In addition, this release fixes the following security issues:
CVE-2009-2555 Heap overflow with Javascript regular expressions
Evaluating a specially-crafted regular expression in Javascript on a web page can lead to memory corruption and possibly a heap overflow. Visiting a maliciously crafted website may lead to a renderer (tab) crash or arbitrary code execution in the Google Chrome sandbox.
Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.
Credit: This issue was found by the Google Chrome security team.
Mitigations:
- A victim would need to visit a page under an attacker's control.
- Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
CVE-2009-2556 Memory corruption in the browser process
A compromised renderer (tab) process could cause the browser process to allocate very large memory buffers. This error could cause the browser process (and all tabs) to crash or possibly allow arbitrary code execution with the privileges of the logged on user. To exploit this vulnerability, an attacker would need to be able to run arbitrary code inside the renderer process.
Severity: Critical. In conjunction with a vulnerability allowing arbitrary code to run in the renderer, an attacker might be able to run code with the privileges of the logged on user.
Credit: This issue was found by the Google Chrome security team.
Mitigations:
- A victim would need to visit a page under an attacker's control.
- The attacker must exploit a second vulnerability to control the renderer process.
Monday, June 22, 2009 | 10:19
Labels:
Beta updates,
Stable updates
Google Chrome 2.0.172.33 has been released to the Stable and Beta channels. This release fixes a critical security issue and two other networking bugs.
CVE-2009-2121: Buffer overflow processing HTTP responses
Google Chrome is vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially crafted response from a server could crash the browser and possibly allow an attacker to run arbitrary code.
Severity: Critical. An attacker might be able to run code with the privileges of the logged on user.
Credit: This issue was found by the Google Chrome security team.
Other issues
This release also fixes two other network issues:
- NTLM authentication to Squid proxies fails when trying to connect to HTTPS sites (Issue
8771)
- Browser crash when loading some HTTPS sites (Issue
13226)
Mark Larson
Google Chrome Program Manager
Tuesday, June 9, 2009 | 12:47
Labels:
Stable updates
Google Chrome's Stable channel has been updated to version 2.0.172.31 to fix two security issues in WebKit.
CVE-2009-1690 Memory corruption
A memory corruption issue exists in WebKit's handling of recursion in certain DOM event handlers. Visiting a maliciously crafted website may lead to a tab crash or arbitrary code execution in the Google Chrome sandbox. This update addresses the issue through improved memory management.
Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.
Mitigations:
- A victim would need to visit a page under an attacker's control.
- Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
CVE-2009-1718 Drag and drop information leak
An issue exists in WebKit's handling of drag events. This may lead to the disclosure of sensitive information when content is dragged over a maliciously crafted web page. This update addresses the issue through improved handling of drag events.
Severity: Medium. An attacker might be able to read data belonging to another web site, if a user can be convinced to select and drag data on an attacker-controlled site.
Mark Larson
Google Chrome Program Manager
Thursday, May 21, 2009 | 11:00
Labels:
Stable updates
We're promoting 2.0.172 from Beta to the Stable channel today.
We've made a lot of changes to stuff you never see, such as a newer version of WebKit for rendering web pages, a new network stack, and improvements to speed up the V8 Javascript engine.
There are some new features like removing Most Visited sites from the New Tab page, form autofill, and full screen mode.
We're also proud to announce that Google Chrome is now available in 50 languages. We added Bengali, Gujarati, Kannada, Malayalam, Marathi, Oriya (on Windows Vista only), Tamil, and Telugu in this release.
You can read more about it here.
--Mark Larson
Google Chrome Program Manager
Thursday, May 7, 2009 | 15:39
Labels:
Stable updates
Edit 13 May 2009: Disclosing that this release contains the fix for CVE-2009-0945, an issue in WebKit code that also affects Apple's Safari web browser. We did not want to disclose this until Apple's fix for Safari users was released.
Google Chrome's Stable channel has been updated to version 1.0.154.65 to fix a crash during startup for a small percentage of users.
CVE-2009-0945 Denial of service in SVG
A memory corruption issue exists in WebKit's handling of SVGList objects. Visiting a maliciously crafted website may lead to arbitrary code execution. The arbitrary code would be limited by the Google Chrome sandbox.
Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.
Mitigations:
- A victim would need to visit a page under an attacker's control.
- Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
Mark Larson
Google Chrome Program Manager
Tuesday, May 5, 2009 | 16:07
Labels:
Stable updates
Google Chrome's Stable channel has been updated to version 1.0.154.64 to fix two security issues discovered by internal Google testing.
This release also contains
- A new notification at startup that makes it easier to set Google Chrome as the default browser. If you don't want Google Chrome to be the default browser, you can click 'Don't ask again'.
- A new version of Gears (0.5.16.0)
Security Fixes
CVE-2009-1441: Input validation error in the browser process.
A failure to properly validate input from a renderer (tab) process could allow an attacker to crash the browser and possibly run arbitrary code with the privileges of the logged on user. To exploit this vulnerability, an attacker would need to be able to run arbitrary code inside the renderer process.
Severity: Critical. An attacker might be able to run code with the privileges of the logged on user.
Mitigation: An attacker would need to be able to run arbitrary code in the renderer process.
CVE-2009-1442: Integer overflow in Skia 2D graphics.
A failure to check the result of integer multiplication when computing image sizes could allow a specially-crafted image or canvas to cause a tab to crash and it might be possible for an attacker to execute arbitrary code inside the (sandboxed) renderer process.
Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.
Mitigations:
- A victim would need to visit a page under an attacker's control.
- Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
Mark Larson
Google Chrome Program Manager
Thursday, April 23, 2009 | 11:59
Labels:
Stable updates
Edit (24 April): Removed "Such an attack only works if Chrome is not already running."
Google Chrome's Stable channel has been updated to 1.0.154.59 to fix a security issue:
CVE-2009-1412 ChromeHTML protocol handler same-origin bypass
An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.
If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice.
See http://code.google.com/p/chromium/issues/detail?id=9860 for more details.
Affected versions: 1.0.154.55 and earlier
Severity: High. This allows universal cross-site scripting (UXSS) without user interaction under certain conditions.
Credit: Roi Saltzman (roisa@il.ibm.com) Security Researcher at IBM Rational Application Security Research Group
--Mark Larson
Google Chrome Program Manager
Monday, March 23, 2009 | 10:19
Labels:
Stable updates
Google Chrome 1.0.154.53 has been released to the Stable channel. This is a minor bugfix release that addresses:
- Issues 6504, 6732, and 7568: Problems setting Google Chrome as the default browser on Windows Vista.
- Issue 5806: Blank entries can appear in the address bar's list of suggestions.
- Adding DigiNotar and SwissSign Gold as trusted certificate authorities for extended validation (EV) SSL certifciates.
See the release notes for additional changes.
--Mark Larson,
Google Chrome Program Manager
Tuesday, February 3, 2009 | 11:52
Labels:
Beta updates,
Stable updates
Google Chrome's Beta and Stable channels have been updated to 1.0.154.48.
The change in 1.0.154.46 to fix Hotmail caused a problem for users in Incognito mode trying to access sites which depend on the User-Agent header. This header identifies the type of browser making the request and should be part of every request, even in Incognito mode. This issue is now fixed. There is also a security fix for a bug (analogous to CVE-2007-3670) where command line arguments could be injected and executed by getting a user to click a link in certain other browsers.
Jonathan Conradt
Engineering Program Manager
Mountain View, CA
Wednesday, January 28, 2009 | 00:37
Labels:
Beta updates,
Stable updates
Google Chrome's Beta and Stable channels have been updated to 1.0.154.46. (Note, we won't have a different release for the Beta channel until we have something Beta-worthy come out of the Dev channel in February.)
This release fixes issues with two popular webmail providers:- Sending mail from Yahoo! Mail works again.
- Windows Live Hotmail now works. While the Hotmail team works on a proper fix, we're deploying a workaround that changes the user agent string that Google Chrome sends when requesting URLs that end with mail.live.com.
If you've been using the --user-agent switch to use Hotmail, you can remove the switch from your shortcuts with this release.
This release also includes two security updates. The release notes have the full list of changes.
Security Updates
Work around for "Adobe Reader Plugin Open Parameters Cross-Site Scripting Vulnerability"
CVE: CVE-2007-0048, CVE-2007-0045
Google Chrome now refuses requests for javascript: URLs in Netscape Plugin API (NPAPI) requests from the Adobe Reader plugin. Adobe is aware of this issue and has helped us develop this mitigation while they work on a fix for all users.
Severity: Moderate. This could allow a PDF document to run scripts on arbitrary sites.
Credit: Thanks to Michael Schmidt for reporting this responsibly to Google.
Javascript Same-Origin Bypass
CVE: CVE-2009-0276
A bug in the V8 JavaScript engine could allow bypassing same-origin checks in certain situations.
Severity: High. A malicious script in a page could read the full URL of another frame, and possibly other attributes or data from another frame in a different origin. This could disclose sensitive information from one website to a third party.
Credit: Found internally by Google.
--Mark Larson, Google Chrome Program Manager
Friday, January 9, 2009 | 12:59
Labels:
Beta updates,
Stable updates
Google Chrome's Stable and Beta channels have been updated to version 1.0.154.43.
This is a minor update to add the following fixes:
- Update Gears to version 0.5.8.0 to fix a crash with some offline applications
- Enable spell-checking for Hebrew
--Mark Larson, Google Chrome Program Manager
Thursday, December 11, 2008 | 00:29
Labels:
Stable updates
Google Chrome is now officially out of Beta. Read about it here.
All users will get updated to the latest release over the next few days. The version of the latest update is 1.0.154.36.
Note to Dev channel users: The Dev channel release will stay at 0.4.154.33. The current stable release is the same as the current Dev channel release without the Hotmail fix (which hasn't been tested enough to release to all users). An update is coming next week.