Notizia Successiva
Foxit Reader 3.1.0824

Google risolve differenti falle di sicurezza nella versione stabile di Chrome

Naviga SWZ: Home Page » News
News del 26 Agosto 09 Autore: Gianplugged
Google risolve differenti falle di sicurezza nella versione stabile di Chrome
Google rilascia una nuova versione stabile di Google Chrome, la 2.0.172.43, che risolve differenti gravi falle di sicurezza.

Le falle riguardano la possibilità di un attacco al motore Javascript V8 di Chrome e permetterebbero ai malintezionati di utilizzare un codice malevolo per avere accesso alla zona protetta di Chrome, Sandbox, che contiene dati sensibili dell´utente.

Note di rilascio:

Google Chrome 2.0.172.43 has been released to the Stable channel to fix the security issues listed below.

CVE-2009-2935 Unauthorized memory read from Javascript

A flaw in the V8Javascript engine might allow specially-crafted Javascript on a webpage to read unauthorized memory, bypassing security checks. It ispossible that this could lead to disclosing unauthorized data to anattacker or allow an attacker to run arbitrary code.

More info: http://code.google.com/p/chromium/issues/detail?id=18639

(This issue will be madepublic once a majority of users are up to date with the fix.)

Severity: High.  An attacker might be able to run arbitrary code within the Google Chrome sandbox.

Credit: This issue was found by Mozilla Security.

Mitigations:
  • A victim would need to visit a page under an attacker´s control.
  • Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.

Security Fix: Treat weak signatures as invalid

Google Chromeno longer connects to HTTPS (SSL) sites whose certificates are signedusing MD2 or MD4 hashing algorithms. These algorithms are consideredweak and might allow an attacker to spoof an invalid site as a validHTTPS site.

More info: http://code.google.com/p/chromium/issues/detail?id=18725

(This issue will be made public once a majority of users are up to date with the fix.)

Severity: Medium.  Further advances in attacks against weak hashing algorithms may eventually permit attacks to forge certificates.

Credit:  Dan Kaminsky, Director of Penetration Testing, IOActive Inc., Meredith Patterson and Len Sassaman. See their paper at http://www.ioactive.com/pdfs/PKILayerCake.pdf

CVE-2009-2414  Stack consumption vulnerability in libxml2

CVE-2009-2416  Multiple use-after-free vulnerabilities in libxml2

Pages using XML can cause a Google Chrome tab process to crash. A malicious XML payload may be able to trigger a use-after-free condition. Other tabs are unaffected.
More info: See the CVE entries noted in this report.

Severity: High.  An attacker might be able to run arbitrary code within the Google Chrome sandbox.
Credit: Originaldiscovery by Rauli Kaksonen and Jukka Taimisto from the CROSS projectat Codenomicon Ltd. The Google Chrome security team determined thatChrome was affected.
Mitigations:
  • A victim would need to visit a page under an attacker´s control.
  • Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
Inserisci un commento sul forum Commenta la News sul Forum

Voto:

Categoria: Windows

Licenza: Open source

Dimensioni: 9.5 MB

OS: Windows

La Community di SWZone.it

La community con le risposte che cerchi ! Partecipa é gratis !
Iscrizione ForumIscriviti al Forum

Newsletter

Vuoi ricevere tutti gli aggiornamenti di SWZone direttamente via mail ?
Iscrizione NewsletterIscriviti alla Newsletter

News Collegate