Topic: Chrome update completes busy browser patch week

[Samker]

Google has pushed out an update designed to fix a pair of vulnerabilities involving the WebKit application framework that underpins its Chrome browser.

The most severe of the two flaws involved a "high risk" memory corruption flaw in WebKit, which creates a potential means for hackers to inject hostile code into the sandbox used by the browser. The second flaw involves a less severe information disclosure risk, involving the Drag and Drop functionality built into WebKit.

Google's advisory can be found here: http://googlechromereleases.blogspot.com/2009/06/stable-update-2-webkit-security-fixes.html

The update completes a busy week on the browser security front with a significant cumulative update for Internet Explorer on Tuesday and a Firefox update on Thursday. In addition, Apple released a beta version of its Safari 4 browser earlier this week.

Outside the browser security arena, Adobe released the first of its scheduled patch updates on Tuesday, and FreeBSD dropped an update designed to defend against a stack-based buffer-overflow that poses a potential code injection risk.

It's becoming more difficult for hard-pressed sys admins to keep track of updates, especially when many arrive without any indication a fix is in development.

Some security patching experts, such as Andrew Storms, director of security operations at nCircle, advocate the creation on a general industry patching day to make the patching process easier to plan and manage, security blogger Ryan Naraine reports: http://www.threatpost.com/blogs/time-has-come-industry-patch-week

(The Register)