Topic: Google patch Chrome again, second time this month

[Samker]

Google patched three vulnerabilities in the Windows version of Chrome earlier in the week, marking the second time that it's plugged security holes this month.

Tuesday's update to Chrome 4.1.249.1064 fixed three flaws rated "high," the second-most-severe threat ranking in Google's four-step system: http://googlechromereleases.blogspot.com/2010/04/stable-update-bug-and-security-fixes.html?
Danish vulnerability tracker Secunia rated the update as "highly critical" using its own severity ranking: http://secunia.com/advisories/39651

As is Google's practice, technical details of the vulnerabilities were hidden from public view, a tactic the company uses to prevent attackers from accessing the information until the majority of users have updated to the new version.

Researchers credited with reporting two of the flaws were awarded bonuses as part of Google's bug bounty program , which kicked off in January. Most flaws earn their finders $500, but researcher Jordi Chancel was handed $1,000 for the cross-origin bypass vulnerability he found in Chrome's handling of Google URL, a code library used to parse large numbers of Web addresses.

Chancel has also caught bugs in other browsers . Last December, for example, Mozilla patched a URL-spoofing flaw Chancel found in Firefox: http://www.mozilla.org/security/announce/2009/mfsa2009-69.html

Google patched the Windows "stable" channel -- a term Google uses in place of "final" -- but left the Mac and Linux versions of Chrome untouched, as they have not yet left the "beta" channel.

The update was the second in two weeks for Chrome: Google also patched the Windows edition on April 20, quashing seven vulnerabilities , four of them ranked "high" and three labeled "medium," the next-lowest rating: http://googlechromereleases.blogspot.com/2010/04/stable-update-security-fixes.html?
Most of those flaws had been found by Google's own security engineers, but the company paid out $500 each to two outside researchers for reporting bugs.

Google typically patches Chrome more frequently than rivals such as Microsoft and Mozilla, in part because the browser updates itself silently in the background without notifying the user. Chrome has been patched five times so far this year, while Microsoft has updated Internet Explorer twice in 2010, both times with emergency patches to close holes that hackers were already exploiting. Mozilla has also patched Firefox twice this year.

Chrome is the world's third-most-popular browser, accounting for approximately 6% of the browsers in use, according to the most recent numbers from Web metrics company NetApplications.

Google Chrome can be downloaded for Windows XP, Vista and Windows 7 from the company's site: http://www.google.com/chrome
Users running the stable build will receive the update automatically.

(CW)