Google patches critical Chrome code execution flaws

[David Baxter PhD]

Google patches ?critical? Chrome code execution flaws
by Ryan Naraine
September 8th, 2008

The first security patch for Google?s new Chrome browser is out, fixing at least two ?critical? vulnerabilities that put Windows users at risk of code execution attacks.

The patch, which is rolled out automatically via Chrome?s auto-update feature, also addresses two additional security vulnerabilities ? the carpet-bombing issue and a denial-of-service flaw that could lead to browser crashes and data loss.

From the release notes:

• Fixes a buffer overflow vulnerability in handling long filenames that display in the ?Save As? dialog. This is a critical risk that could lead to execution of arbitrary code. See here for fix details.
• Fixes a buffer overflow vulnerability in handling link targets displayed in the status area when the user hovers over a link. This is a critical risk that could lead to execution of arbitrary code. The issue was reported privately to Google. Fix details here.
• Fixes an out of bounds memory read when parsing URLs ending with :%. This is a low risk that can be used to crash the entire browser, possibly causing loss of data in the current session. Fix information here.
• The update also changes the default Downloads directory if it is set to Desktop to ensure that Desktop cannot be the default. This mitigates the risk of malicious cluttering of the desktop (aka carpet bombing) with unwanted downloads, which can lead to executing unwanted files.

Curiously, user agent for the fully patched version of Chrome (version 0.2.149.29) is still showing WebKit 525.13 (Safari 3.1) , meaning that Aviv Raff?s two-click PC takeover vulnerability is still unpatched.

I just tested Raff?s proof-of-concept that combines two flaws ? one in Safari and one in Java ? and was still able to execute code without warning. Strange.