Bach Khoa Internetwork Security, a security-research firm in Vietnam, claims to be the first to discover a critical vulnerability in Google's Chrome browser. "This is the first critical Chrome vulnerability permitting [a] hacker to perform a remote code-execution attack and take complete control of the affected system," the firm wrote in its Sept. 5 advisory. While four Chrome vulnerabilities were discovered, Bach Khoa said the "Save As" flaw is the only one that can allow an attacker to launch remote attacks from a victim's PC. Other vulnerabilities just crash the browser.
The vulnerability is caused by a boundary error when handling the "Save As" function. When a user saves a malicious page with a title tag in the HTML code, the program causes a stack-based overflow, according to Bach Khoa. A hacker could construct a specially crafted Web page that contains malicious code, trick a user into visiting that Web site, and convince the user to save the page. That will execute the code and give the attacker privileges to remotely use the infected system.
Google reportedly has issued a patch for the browser, which can be found by telling Chrome to search for an update.
No one should really be surprised by the news of flaws in Chrome, according to Graham Cluley, a senior security consultant at Sophos. Any Google software release is likely to attract a lot of attention from security researchers, he said, all keen to discover if a problem can be found amid all the hoopla of a new product launch.
"The good news is that all the signs are that Google's security team is aware of the importance of securing their applications -- be they on Internet users' hard disks or on the Web -- and appears to work hard to respond rapidly to threats as they emerge. This is always harder, of course, if flaws are not disclosed responsibly," Cluley said.
Posts
No comments:
Post a Comment