Samker's Computer Forum - SCforum.info

World TOP Headlines: => Latest Security News & Alerts => Topic started by: Fireberg on 20. November 2009., 20:23:28

Title: Google Chrome Frame patches Microsoft-reported security bug
Post by: Fireberg on 20. November 2009., 20:23:28

(http://static.arstechnica.com/chrome_lock.png)

The Microsoft Vulnerability Research (MSVR) team found and reported a vulnerability in Google Chrome Frame. The result is a new version that fixes the security flaw, among other issues.

This week, Google released an update to Google Chrome Frame. Version 4.0.245.1 is available and all users should be updated automatically, according to Google Chrome Releases. The release fixes issues where the plugin would not follow redirects properly, where network requests would fail randomly, and where it would freeze IE8 intermittently. What really caught our eye though, was the security fix that's included in the release, and especially who gets the credit for finding it:

Security Fix: Google Chrome Frame 4.0.223.9 and earlier versions were vulnerable to a cross-origin bypass.

Severity: High. An attacker could have bypassed cross-origin protections. Although important, "High" severity issues do not permit persistent malware to infect a user's machine. We're unaware of any exploitation of this issue.

Credit: Thanks to Billy Rios and Microsoft Vulnerability Research (MSVR) and also to Lostmon for finding and reporting this vulnerability responsibly.

That's right, you read that correctly. After Google Chrome Frame was released this past September, Microsoft shot back days later saying that the plugin doubles the attach area for malware and malicious scripts.

As a result, the software giant specifically said it did not recommend that Internet Explorer users install it, so as to avoid having more security issues than they already have. Now Microsoft has putting its money where its mouth is by finding a security flaw that was present in all versions since the plugin was released. Thankfully, the flaw had not been exploited yet.

Back in August 2008, Microsoft unveiled three new programs that strengthen its stance on security. One of those was Microsoft Vulnerability Research (MSVR), a program focused on disclosing security vulnerabilities in third-party software running on Windows. In other words, the MSVR team helps third-party software providers by reporting vulnerabilities to them, assisting them with resolution plans to help improve the security of their software, and does it all confidentially (which is why we didn't hear about this issue until Google patched it). The company leverages both internal resources (its own security experts working to find vulnerabilities in Windows) and external resources (security researchers that do not work for Microsoft who find threats in third-party software) to do so.

Found via Slashdot

Title: Re: Google Chrome Frame patches Microsoft-reported security bug
Post by: Samker on 20. November 2009., 21:33:05

Thanks F. for this news.

I think that it'll be better for Microsoft to fix all bugs in IE versions first... :)