Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

After the pwnage: Critical Google Chrome hole plugged in 24 hours

From: InfoSec News <alerts () infosecnews org>
Date: Fri, 9 Mar 2012 03:23:10 -0600 (CST)
http://arstechnica.com/business/news/2012/03/after-the-pwnage-critical-google-chrome-hole-plugged-in-24-hours.ars

By Dan Goodin
ars technica
March 8, 2012
Less than 24 hours after a Russian hacker pocketed $60,000 by exploiting a previously unknown critical vulnerability in Google Chrome, company developers released an update removing the security threat.
The quick turnaround underscores one of the key advantages of Google's open-source browser: the speed in which highly complex bugs are fixed and updates are pushed out to users. By contrast, Microsoft, which must run updates through a battery of rigorous quality-assurance tests, often takes months to fix bugs of similar complexity.
A post published Thursday morning to the Google Chrome Release blog said technical details will be withheld until a majority of users have actually installed the fix. For now, it described the vulnerability as an "UXSS and bad history navigation" issue and identified it as CVE-2011-3046.
Even after a more detailed description is published, it's likely some characteristics will be withheld. Chrome is based on the WebKit, the same browser engine powering Apple Safari and many mobile browsers. Google researchers will likely be reluctant to provide information making it easier for hackers to compromise users of those systems until they've been updated as well. 

[...]


______________________________________________________________________________
Certified Ethical Hacker and CISSP training with Expanding Security gives
the best training and support.  Get a free live class invite weekly.  Best
program, best price. http://www.ExpandingSecurity.com/PainPill
Previous By Date Next
Previous By Thread Next

Current thread: