Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43434
  • Total Topics: 16528
  • Online today: 3114
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 2
Guests: 3041
Total: 3043









Author Topic: Google Chrome Frame patches Microsoft-reported security bug  (Read 2884 times)

0 Members and 1 Guest are viewing this topic.

Fireberg

  • SCF Advanced Member
  • ***
  • Posts: 176
  • KARMA: 22


The Microsoft Vulnerability Research (MSVR) team found and reported a vulnerability in Google Chrome Frame. The result is a new version that fixes the security flaw, among other issues.

This week, Google released an update to Google Chrome Frame. Version 4.0.245.1 is available and all users should be updated automatically, according to Google Chrome Releases. The release fixes issues where the plugin would not follow redirects properly, where network requests would fail randomly, and where it would freeze IE8 intermittently. What really caught our eye though, was the security fix that's included in the release, and especially who gets the credit for finding it:

Security Fix: Google Chrome Frame 4.0.223.9 and earlier versions were vulnerable to a cross-origin bypass.

Severity: High. An attacker could have bypassed cross-origin protections. Although important, "High" severity issues do not permit persistent malware to infect a user's machine. We're unaware of any exploitation of this issue.

Credit: Thanks to Billy Rios and Microsoft Vulnerability Research (MSVR) and also to Lostmon for finding and reporting this vulnerability responsibly.

That's right, you read that correctly. After Google Chrome Frame was released this past September, Microsoft shot back days later saying that the plugin doubles the attach area for malware and malicious scripts.

As a result, the software giant specifically said it did not recommend that Internet Explorer users install it, so as to avoid having more security issues than they already have. Now Microsoft has putting its money where its mouth is by finding a security flaw that was present in all versions since the plugin was released. Thankfully, the flaw had not been exploited yet.

Back in August 2008, Microsoft unveiled three new programs that strengthen its stance on security. One of those was Microsoft Vulnerability Research (MSVR), a program focused on disclosing security vulnerabilities in third-party software running on Windows. In other words, the MSVR team helps third-party software providers by reporting vulnerabilities to them, assisting them with resolution plans to help improve the security of their software, and does it all confidentially (which is why we didn't hear about this issue until Google patched it). The company leverages both internal resources (its own security experts working to find vulnerabilities in Windows) and external resources (security researchers that do not work for Microsoft who find threats in third-party software) to do so.

Found via Slashdot

Samker's Computer Forum - SCforum.info


Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Google Chrome Frame patches Microsoft-reported security bug
« Reply #1 on: 20. November 2009., 21:33:05 »
Thanks F. for this news.

I think that it'll be better for Microsoft to fix all bugs in IE versions first... :)

Samker's Computer Forum - SCforum.info

Re: Google Chrome Frame patches Microsoft-reported security bug
« Reply #1 on: 20. November 2009., 21:33:05 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023