Information Security News mailing list archives
After the pwnage: Critical Google Chrome hole plugged in 24 hours
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 9 Mar 2012 03:23:10 -0600 (CST)
http://arstechnica.com/business/news/2012/03/after-the-pwnage-critical-google-chrome-hole-plugged-in-24-hours.ars By Dan Goodin ars technica March 8, 2012Less than 24 hours after a Russian hacker pocketed $60,000 by exploiting a previously unknown critical vulnerability in Google Chrome, company developers released an update removing the security threat.
The quick turnaround underscores one of the key advantages of Google's open-source browser: the speed in which highly complex bugs are fixed and updates are pushed out to users. By contrast, Microsoft, which must run updates through a battery of rigorous quality-assurance tests, often takes months to fix bugs of similar complexity.
A post published Thursday morning to the Google Chrome Release blog said technical details will be withheld until a majority of users have actually installed the fix. For now, it described the vulnerability as an "UXSS and bad history navigation" issue and identified it as CVE-2011-3046.
Even after a more detailed description is published, it's likely some characteristics will be withheld. Chrome is based on the WebKit, the same browser engine powering Apple Safari and many mobile browsers. Google researchers will likely be reluctant to provide information making it easier for hackers to compromise users of those systems until they've been updated as well.
[...] ______________________________________________________________________________ Certified Ethical Hacker and CISSP training with Expanding Security gives the best training and support. Get a free live class invite weekly. Best program, best price. http://www.ExpandingSecurity.com/PainPill
Current thread:
- After the pwnage: Critical Google Chrome hole plugged in 24 hours InfoSec News (Mar 09)