Google publishes Chrome patch details
Carpet-bombing fix looks threadbare
Google has belatedly released details of a security update to its newly released Chrome browser, days after it actually pushed out the patch.
The update was published on Friday and users of Chrome were automatically updated, but details of the vulnerabilities fixed and performance tweaks only emerged on Monday, via a mailing list posting and a new Google Chrome blog.
Mark Larson, a Google Chrome program manager, writes that Google Chrome Beta version 0.2.149.29 addresses two critical vulnerabilities, a small number of lesser flaws and a variety of performance tweaks.
The first of the two critical bug fixes addresses a buffer overflow bug in handling long filenames, while the second deals with a vulnerability in handling link targets. Both the flaws create a means for hackers to inject hostile code into vulnerable systems, hence their critical rating. The release also fixes a lesser browser crashing bug involved in parsing URLs ending with ":%".
Google has also responded to its exposure to the infamous Safari carpet-bombing flaw by ensuring that desktop is not the default directory for downloads. "This mitigates the risk of malicious cluttering of the desktop with unwanted downloads, which can lead to executing unwanted files," it explains.
Hmm. This is, at best, only a partial workaround, and Google would do far better to address the underlying flaw.
More details on the update can be found in a posting on the Google Chrome blog here. ®
I'm a bit late to this thread, but I have to comment. I was working away hard on improving my Spider average score when the firewall popped up a warning - "SETUP.EXE is trying to access the internet". WTF?!? I killed the process. A few hours later it happened again. This time, after a bit of effort, I was able to find out what subdir the suspicious Setup was running out of, and a few minutes later Chrome was GONE.
Hint to Google - don't make your product look and behave like a fucking spyware bot. Identify its components by recognizable names, like Chrome_Setup, and prompt before updating - or at least give us the choice.
This article has been up a whole day and only 29 comments about the lack of control over the silent updates - and some of those are actually supportive.
If this was MS, this comments section would be well over 100, people complaining (and rightly so) about a company installing stuff on their computer without their permission and generally bitching about how evil MS are and how you can't trust them.
What makes google any different? They want to mine your data to make a larger profit from their advertisers. They want to prostitute your browsing habits to make money, but because it's google and not MS everything's ok?
I think this just proves the point that far too many people recently have jumped on the 'lets bitch about MS' bandwagon and the rabid anti-ms comments you get most of the time are nothing to do with the posters principles - they are just foaming at the mouth because it's that big bad boogeyman - Microsoft.
Hark at the legend in his own lunch hour.
Your comments remind me why I detest large swathes of the IT community. Grow up and face the fact that google et al don't give a fuck (I have no compunction with the f) what you think. They are producing a browser for the majority of the internet community and I'm afraid their isn't snotty geeks who know how to install an operating system. 
I agree that allowing anyone to update your computer without permission is a bad idea. But, until something bad happens to the majority of internet users, who trust their most intimate information to Facebook and haven't got a clue what updating their browser means, let alone entails, auto updating of this nature is probably the best approach. Remember we are talking about a user base potentially as young as 7 and as doddery as 70.
I apologise that I didn't use long words in my post.
 No one gives a fuck which one it is....jumped up Muppet