Chrome update completes busy browser patch week
Time for an industry patch day?
Google has pushed out an update designed to fix a pair of vulnerabilities involving the WebKit application framework that underpins its Chrome browser.
The most severe of the two flaws involved a "high risk" memory corruption flaw in WebKit, which creates a potential means for hackers to inject hostile code into the sandbox used by the browser. The second flaw involves a less severe information disclosure risk, involving the Drag and Drop functionality built into WebKit.
Google's advisory can be found here.
The update completes a busy week on the browser security front with a significant cumulative update for Internet Explorer on Tuesday and a Firefox update on Thursday. In addition, Apple released a beta version of its Safari 4 browser earlier this week.
Outside the browser security arena, Adobe released the first of its scheduled patch updates on Tuesday, and FreeBSD dropped an update designed to defend against a stack-based buffer-overflow that poses a potential code injection risk.
It's becoming more difficult for hard-pressed sys admins to keep track of updates, especially when many arrive without any indication a fix is in development.
Some security patching experts, such as Andrew Storms, director of security operations at nCircle, advocate the creation on a general industry patching day to make the patching process easier to plan and manage, security blogger Ryan Naraine reports. ®