The Register® — Biting the hand that feeds IT

Feeds

Google publishes Chrome patch details

Carpet-bombing fix looks threadbare

By John Leyden, 9th September 2008
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Google has belatedly released details of a security update to its newly released Chrome browser, days after it actually pushed out the patch.

The update was published on Friday and users of Chrome were automatically updated, but details of the vulnerabilities fixed and performance tweaks only emerged on Monday, via a mailing list posting and a new Google Chrome blog.

Mark Larson, a Google Chrome program manager, writes that Google Chrome Beta version 0.2.149.29 addresses two critical vulnerabilities, a small number of lesser flaws and a variety of performance tweaks.

The first of the two critical bug fixes addresses a buffer overflow bug in handling long filenames, while the second deals with a vulnerability in handling link targets. Both the flaws create a means for hackers to inject hostile code into vulnerable systems, hence their critical rating. The release also fixes a lesser browser crashing bug involved in parsing URLs ending with ":%".

Google has also responded to its exposure to the infamous Safari carpet-bombing flaw by ensuring that desktop is not the default directory for downloads. "This mitigates the risk of malicious cluttering of the desktop with unwanted downloads, which can lead to executing unwanted files," it explains.

Hmm. This is, at best, only a partial workaround, and Google would do far better to address the underlying flaw.

The update also includes a number of performance and stability tweaks including a JavaScript problem involving Facebook, flaws in search suggestions on various sites, and a performance issue involving the Safe Browsing mode.

More details on the update can be found in a posting on the Google Chrome blog here. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (31)
Latest Comments
PT

Silent Updates

I'm a bit late to this thread, but I have to comment. I was working away hard on improving my Spider average score when the firewall popped up a warning - "SETUP.EXE is trying to access the internet". WTF?!? I killed the process. A few hours later it happened again. This time, after a bit of effort, I was able to find out what subdir the suspicious Setup was running out of, and a few minutes later Chrome was GONE.

Hint to Google - don't make your product look and behave like a fucking spyware bot. Identify its components by recognizable names, like Chrome_Setup, and prompt before updating - or at least give us the choice.

0
0
Anonymous Coward

Hmmm

This article has been up a whole day and only 29 comments about the lack of control over the silent updates - and some of those are actually supportive.

If this was MS, this comments section would be well over 100, people complaining (and rightly so) about a company installing stuff on their computer without their permission and generally bitching about how evil MS are and how you can't trust them.

What makes google any different? They want to mine your data to make a larger profit from their advertisers. They want to prostitute your browsing habits to make money, but because it's google and not MS everything's ok?

I think this just proves the point that far too many people recently have jumped on the 'lets bitch about MS' bandwagon and the rabid anti-ms comments you get most of the time are nothing to do with the posters principles - they are just foaming at the mouth because it's that big bad boogeyman - Microsoft.

0
0
bobbles31

re Chronos

Hark at the legend in his own lunch hour.

Your comments remind me why I detest large swathes of the IT community. Grow up and face the fact that google et al don't give a fuck (I have no compunction with the f) what you think. They are producing a browser for the majority of the internet community and I'm afraid their isn't snotty geeks who know how to install an operating system. [1]

I agree that allowing anyone to update your computer without permission is a bad idea. But, until something bad happens to the majority of internet users, who trust their most intimate information to Facebook and haven't got a clue what updating their browser means, let alone entails, auto updating of this nature is probably the best approach. Remember we are talking about a user base potentially as young as 7 and as doddery as 70.

I apologise that I didn't use long words in my post.

[1] No one gives a fuck which one it is....jumped up Muppet

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
124
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
57
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13