Google fixes Chrome vulnerabilities--but won't say which
Updated 1:44 p.m. PDT with details that Chrome automatically updates itself with no notification or choice for the user.
Google has quietly begun releasing a hastily prepared update to its Chrome browser to fix some security problems.
The new version, 0.2.149.29, replaces the 0.2.149.27 that was released when Google launched the Chrome beta version last week. Google started releasing the update Friday, initially to a small number of users, but didn't make much of an announcement about the change.
To check if an update is available, click the wrench icon in Chrome's upper-right corner, then select 'about Google Chrome.'
(Credit: Josh Lowensohn/CNET News)"149.29 is a security update and we released it as fast as we could," said Mark Larson, Google Chrome program manager, in a mailing list posting on Sunday. "We would've liked more time to prepare things, but some of the vulnerabilities were made public without giving us a chance to respond, update, and protect our users first. Thanks for being patient as we work out the kinks in all of our processes."
However, Google isn't revealing details yet about what security issues it's fixed.
"All users have not received the update yet, so we cannot discuss the details of the security issues that were addressed, but we plan to disclose more information once the update has reached all of our user," the company said in a statement Monday.
To check if an update is available, Chrome users can click the wrench icon in Chrome's upper-right corner, then select "about Google Chrome." That will show both the version number and a message indicating whether an update is available.
Google knows best
Without a manual check, Chrome will update itself automatically, Google said. "Google Chrome will automatically checks for updates approximately every five hours. If an update is available, it will be downloaded and applied at the next browser restart," Google said.
Google believes it's best if Chrome applies security updates not only without a description of what's changing, but also without an opportunity for users to decide whether to accept the patch.
"Users do not get a notification when they are updated...When there are security fixes, it's crucial that we update our users as quickly as possible in order to keep them safe. Thus, it's important for us to not require user intervention," the company said in a statement."There are some security fixes that we'll keep quiet because we don't want to disclose security vulnerabilities to attackers."
The automatic update policy applies to security and bug fixes. "For major version updates, when feature changes are involved, we'll explore options for providing users with more details about the changes," Google said.
Microsoft and Mozilla encourage users to download and apply updates automatically to Internet Explorer and Firefox, respectively, but users can chose not to do so.
Automatic updates can cause indigestion in corporations where internal administrators often want control over what software is running or not for compatibility, security, and other reasons. But browser browser vulnerabilities loom larger as more applications move to the Web and more people rely on those services, and automatic updates can help nip attacks in the bud.
Open-source redactions
Don't look for clues about the vulnerabilities in the Chrome source code. The open-source Chromium project has publicly available mailing lists and source code, but many recent changes to the code base are redacted to show only a blank page rather than the detailed changelog notes of other changes.
"Most of the changes are visible, aside from security changes, which we must keep private in order to keep users safe," Google said of the changelog.
Programming fans also won't be able to glean any insights from the Chrome update plug-in, which is proprietary.
"We use this updater and the server architecture it interfaces with to update across many of our products, some of which are not open source," Google said. "It's not that we are trying to hide anything; rather, it's just that this update infrastructure is not intended to be used by others who may distribute their own versions of the browser based on Chromium code."
Reported vulnerabilities
One security problem found in Chrome version 0.2.149.27 is a carpet-bombing vulnerability that could help an attacker install malicious software on a user's computer without giving the user a chance to accept or reject the download. Google assigned the problem a top priority.
Another reported issue in Chrome 0.2.149.27 is a buffer overrun that could allow an attacker to run arbitrary code on a user's computer and thereby take control of it, according to Bach Khoa Internet Security.
The company was willing to discuss some other details about the update, though. For one thing, the company updated a JavaScript problem that could cause problems using Facebook. For another, it fixed a problem that would crash the entire browser if a person typed "about:%" into the address bar. Google called the problem "non-exploitable, but very annoying," reflecting the removal of the "security" label from the bug report.
Stephen Shankland writes about a wide range of technology and products, but has a particular focus on browsers and digital photography. He joined CNET News in 1998 and since then also has covered Google, Yahoo, servers, supercomputing, Linux and open-source software, and science. E-mail Stephen, or follow him on Twitter at http://www.twitter.com/stshank.
Sounds like a convenient excuse.
I noticed that my TV app would begin to stutter and get chppy when using Chrome AND FF , but no such problems when using IE 7/8. After reading an article on CNN.COM I now know why. On real world web pages and most have Flash on them , Chrome and FF both hammer the CPU !!! With IE there is very minimal CPU usage shown to accomplish the same task. I don`t care what Google says about some javascript test being faster , because I`m seeing IE 8 be just as quick with MINIMAL CPU load on all websites. And IE 8 has many more useful features than Chrome and a better layout than their Fisher-Price interface. Real world testing shows IE 8 to be just as fast as Chrome ! Chrome...nothing but hype !
I've open flash pages in Chrome, Firefox and IE7/8.... all of them don't hammer the CPU. Try foisting your BS on someone else who hasn't tested these issues.
"However, Google isn't revealing details yet about what security issues it's fixed."
It appears that Google is following Apple in almost every way!
The majority of Apple's software updates have a "detailed explanation" of "Bug Fixes" (although it could be a 4GB file.)
Google is worse than MS because they have not had their Wings clipped (yet!) by the EU or DOJ. They behave with no regard for anybody else. In any case they have just taken all Konqueror and Apple work applied a new skin and presented Chrome as a new browser from scratch.
They do not deserve to attract a community like Firefox. They are very secretive and have their own agenda.
I'm also angry that Chrome doesn't perform a clean uninstall. It leaves crap like Googleupdate.exe in the registry. When you run Chrome there is one or two Googleupdate.exe processes running in the background all the time. This is to update Chrome and other Google Software. But Mozilla don't use that dirty trick.
Security doesn't exist if programs don't start fessing up to the Who, What, When, Why, Where, and How.
Say what you want about MS but when they got their butts handed to them on security they did something about it. When firefox clowned them they did something about it. No player coming into the market in this day and age has an excuse for this sloppiness. The moment I heard google was releasing Chrome I said, "What no day 0 vulnerability?" ... don't give me any "but it's just beta" argument either. Google generally leaves their products in beta until they basically have an RTM like adoption and the users bugtest it. Once everyone is done then they say TA-DA...Version 1.0!!
Back in the days of purchased browsers, you had a reason to complain.
Answer: Nothing.
"One security problem found in Chrome version 0.2.149.27 is a carpet-bombing vulnerability that could help an attacker install malicious software on a user's computer without giving the user a chance to accept or reject the download. Google assigned the problem a top priority."
Indeed, another even more serious security problem found in Chrome (all versions) is that Google can install any software they want including malicious code on all users' computers without giving the user a chance to accept or reject the download. Users assigned the problem a top priority.
Regarding Google's automatic update, I can't believe they'll get away with that. Big no, no. Kind of like "big brother knows best" attitude. I'm glad they're providing choices, but I don't want to trade one big monopoly who the industry spent years trying to reign in, for another....
-
by dood1386
January 11, 2009 1:16 PM PST
- hi
-
Reply to this comment
-
(18 Comments)i want to say a big problem about google chrome
this browser is good but when we are downloading a file or more files ,its usual we may close the browser,at this time ,browser will be closed without any warning and our downloads are terminated. i want google to fix this.
thanx to google