Google Issues Fix For Critical Chrome Bug
Google issued a silent patch (which updates without asking the user) for a critical validation error in the browser, which, if exploited, would allow an attacker to run malicious code with the same authentication rights as the logged-on user. The flaw stems from a failure to properly validate input from a tab process, which could enable an attacker to crash the victim's browser.
In addition, Google fixed a second security bug, with the severity ranking of "High," occurring in the Skia 2d graphics function of the browser. The flaw could open the door for attackers to create a specially crafted image that could cause a tab to crash and launch malicious code inside the Google Chrome sandbox.
A victim could become infected from an exploit after opening a malicious Web page under the control of the attacker via Google Chrome, typically through an embedded link delivered via e-mail as part of a social engineering scam.
This latest update comes about two weeks after Google patched yet another gaping security hole in Chrome. The flaw, flagged as "High" severity, occurred in the ChromeHTML protocol handler Same Origin Policy bypass.
Specifically, an error in the way the browser handled URLs with a ChromeHTML protocol could have allowed an attacker to run malicious scripts at will on any Web page or enumerate files on the local disk. If a victim visited a malicious Web site in Internet Explorer, the error could cause Google Chrome to launch, open multiple tabs and load malicious scripts that redirect a user to a malicious URL under the control of the attacker.