Google quashes 12 Chrome bugs, gives users early Flash fix

IE, Firefox, Safari users don't get Flash Player update until later today

Google today patched 12 vulnerabilities in its Chrome browser, all of them rated as high-level threats by the company's security team.

The patched version of Chrome also included an update to Adobe's Flash Player, giving Google users an early fix for a critical flaw that hackers have been exploiting with rigged PDF documents. Adobe plans to release that Flash patch to users of other browsers later today.

The dozen flaws fixed today in Chrome 7.0.517.44 include a pair related to SVG (Scalable Vector Graphics), a collection of XML specifications for describing two-dimensional vector graphics; one in Chrome's V8 JavaScript engine; and three involving aspects of the browser's text handling.

Google paid $7,500 in bounties to eight researchers who reported 11 of the 12 bugs, the most it's awarded since mid-August when the company handed out $8,674.

As usual, Google locked down its bug tracking database to bar outsiders from picking up technical details of the vulnerabilities. The company usually unlocks access to a flaw several weeks after a patch ships, to give users time to update before the information goes public.

Other browser makers, including Mozilla, do the same.

Today's update to the "stable" build -- Google maintains three separate "channels" for Chrome, ranging from stable to "beta" to "dev" -- included a revamped version of Flash Player, the popular media playing plug-in.

Seven months ago, Google and Adobe struck a deal that lets the former bundle Flash Player with Chrome and upgrade the plug-in using the browser's own silent updater, This is the second time in six weeks that Chrome users received a patched Flash Player before people running rival browsers, such as Microsoft's Internet Explorer or Mozilla's Firefox.

Last week, Adobe confirmed that Flash contained a critical bug that attackers were exploiting in the wild, and promised to fix the flaw by Nov. 9. Earlier this week, however, Adobe bumped up the release of the Flash update to today, saying that it had wrapped up work faster than anticipated.

Although the bug is in Flash, hackers are actually using malicious PDF documents; Adobe's Reader includes code to render Flash from within a PDF, and that code is also flawed. Adobe is planning to issue a fix for Reader and the Acrobat PDF-creation software the week of Nov. 15.

Thursday's update was the second round of Chrome security fixes since the browser jumped to version 7 late last month.

According to Web metrics company Net Applications, Google's hands-off update technology -- which automatically applies not only patches, but also new features -- shifted the bulk of Chrome 6 users to the new Chrome 7 within days.

A week after the Oct. 21 launch of Chrome 7, that version outnumbered its predecessor in usage share by more than 7-to-1.

Chrome 7 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically.

Also today, Google updated the "beta" channel of Chrome to version 8.0.552.28, which adds an integrated PDF viewer plug-in to the browser.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGooglesecuritybrowserssoftwareinternetmozilla

More about Adobe SystemsGoogleLinuxMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts