Monday, September 8, 2008

Google fixes Chrome vulnerabilities--but won't say which

Updated 1:44 p.m. PDT with details that Chrome automatically updates itself with no notification or choice for the user.

Google has quietly begun releasing a hastily prepared update to its Chrome browser to fix some security problems.

The new version, 0.2.149.29, replaces the 0.2.149.27 that was released when Google launched the Chrome beta version last week. Google started releasing the update Friday, initially to a small number of users, but didn't make much of an announcement about the change.

To check if an update is available, click the wrench icon in Chrome's upper-right corner, then select 'about Google Chrome.'

To check if an update is available, click the wrench icon in Chrome's upper-right corner, then select 'about Google Chrome.'

(Credit: Josh Lowensohn/CNET News)

"149.29 is a security update and we released it as fast as we could," said Mark Larson, Google Chrome program manager, in a mailing list posting on Sunday. "We would've liked more time to prepare things, but some of the vulnerabilities were made public without giving us a chance to respond, update, and protect our users first. Thanks for being patient as we work out the kinks in all of our processes."

However, Google isn't revealing details yet about what security issues it's fixed.

"All users have not received the update yet, so we cannot discuss the details of the security issues that were addressed, but we plan to disclose more information once the update has reached all of our user," the company said in a statement Monday.

To check if an update is available, Chrome users can click the wrench icon in Chrome's upper-right corner, then select "about Google Chrome." That will show both the version number and a message indicating whether an update is available.

Google knows best
Without a manual check, Chrome will update itself automatically, Google said. "Google Chrome will automatically checks for updates approximately every five hours. If an update is available, it will be downloaded and applied at the next browser restart," Google said.

Google believes it's best if Chrome applies security updates not only without a description of what's changing, but also without an opportunity for users to decide whether to accept the patch.

"Users do not get a notification when they are updated...When there are security fixes, it's crucial that we update our users as quickly as possible in order to keep them safe. Thus, it's important for us to not require user intervention," the company said in a statement."There are some security fixes that we'll keep quiet because we don't want to disclose security vulnerabilities to attackers."

The automatic update policy applies to security and bug fixes. "For major version updates, when feature changes are involved, we'll explore options for providing users with more details about the changes," Google said.

Microsoft and Mozilla encourage users to download and apply updates automatically to Internet Explorer and Firefox, respectively, but users can chose not to do so.

Automatic updates can cause indigestion in corporations where internal administrators often want control over what software is running or not for compatibility, security, and other reasons. But browser browser vulnerabilities loom larger as more applications move to the Web and more people rely on those services, and automatic updates can help nip attacks in the bud.

Open-source redactions
Don't look for clues about the vulnerabilities in the Chrome source code. The open-source Chromium project haspublicly available mailing lists and source code, but many recent changes to the code base are redacted to show only a blank page rather than the detailed changelog notes of other changes.

"Most of the changes are visible, aside from security changes, which we must keep private in order to keep users safe," Google said of the changelog.

Programming fans also won't be able to glean any insights from the Chrome update plug-in, which is proprietary.

"We use this updater and the server architecture it interfaces with to update across many of our products, some of which are not open source," Google said. "It's not that we are trying to hide anything; rather, it's just that this update infrastructure is not intended to be used by others who may distribute their own versions of the browser based on Chromium code."

Reported vulnerabilities
One security problem found in Chrome version 0.2.149.27 is a carpet-bombing vulnerability that could help an attacker install malicious software on a user's computer without giving the user a chance to accept or reject the download. Google assigned the problem a top priority.

Another reported issue in Chrome 0.2.149.27 is a buffer overrun that could allow an attacker to run arbitrary code on a user's computer and thereby take control of it, according to Bach Khoa Internet Security.

The company was willing to discuss some other details about the update, though. For one thing, the company updated a JavaScript problem that could cause problems using Facebook. For another, it fixed a problem that would crash the entire browser if a person typed "about:%" into the address bar. Google called the problem "non-exploitable, but very annoying," reflecting the removal of the "security" label from the bug report.

No comments: