Google Patches Rare Critical Vulnerability in Chrome - haassobsell

Google has patched a critical Chromium-plate vulnerability disclosed Wednesday at the CanSecWest security conference in Vancouver that can be exploited to throw off a browser's secure sandbox.

Russian security research worker Sergey Glazunov demonstrated a remote code-execution (RCE) exploit against a fully patched version of Chrome connected Windows 7 as part of Google's Pwnium contend held at the conference..

Glazunov's exploit leveraged ii Chrome vulnerabilities — one that allows the execution of arbitrary code and one that bypasses the browser's much-touted security sandbox, which normally restricts such exploits.

Remote code-execution vulnerabilities, while very serious, are relatively common all told software program products. However, the sandbox scat ones are passing rare and, according to TippingPoint, which runs the separate Pwn2Own contest at CanSecWest, are worth much more than the US$60,000 Glazunov attained from Google for coverage it.

Both vulnerabilities leveraged by Glazunov's exploit were fixed in Google Chromium-plate 17.0.963.78, which was released on Thursday.

"We had the early successful tap at Pwnium yesterday, and today we've already rolling out an update to protect our users," said Sundar Pichai, Google's senior frailty president for Chrome, on Thursday via his Google+ account. "The team took less than 24 hours from first report to verification to fix development to getting a fix out."

Because of the Chrome's auto-update feature, users just deman to restart their browsers in order to deploy the security fix. Organizations can deploy the polar update by using the Google Update for enterprise insurance.

Glazunov's was not the only Chrome sandbox escape feat demoed at CanSecWest. A team of researchers from French security marketer VUPEN presented a analogous attack as part of TippingPoint' Pwn2Own contend.

However, the Pwn2Own rules don't expect researchers to disclose sandbox-run vulnerabilities to vendors, principally because the prize money wouldn't justify their disclosure. This means that in that respect is quieten one highly critical Chrome vulnerability out there that clay unpatched.

The Chromium-plate security measur team suspects that information technology's located in the Brassy Player wa-in bundled with the browser by default and non in Chromium-plate's own codification. There is no more confirmation from VUPEN regarding this theory, but if true, the task of patching the vulnerability would downslop with Adobe Systems.

Source: https://www.pcworld.com/article/468952/google_patches_rare_critical_vulnerability_in_chrome.html

Posted by: haassobsell.blogspot.com