Earlier this week, Google issued a patch for a critical vulnerability for Google Chrome. The patch fixed a buffer overflow vulnerability that could allow an attacker to run code. The fixed version is Google Chrome 2.0.172.33, and it has been released to both the Stable and Beta channels.
This release also fixed two other networking bugs: 1) NTLM authentication to Squid proxies fails when trying to connect to HTTPS sites (Issue 8771); 2) Browser crash when loading some HTTPS sites (Issue 13226).
Interestingly, a buffer overflow should be the kind of attack that Chrome is not susceptible to, given the amount of work the Google team has done to have most of the browser's functions operate within the browser's sandbox. And yet, this flaw is enabled from code outside of the sandbox in the kernel, says Google. It was Google's own team that found the vulnerability. And, with the fix pushed out, the team has openly published details about how the attack works.
This marks the eighth patch the Google team has issued to fix vulnerabilities in its browser since February, and the third so far in June. In comparison, Mozilla Firefox has had seven patches in 2009 and Internet Explorer only three, according Secunia. While we give credit to the Google team for its openness about vulnerabilities, we have to wonder why the company is investing so heavily in Chrome when it could have thrown its power behind Firefox.
Google is a major backer of Mozilla's Firefox. In 2008, just months before launching its own competing browser, Google renewed its almost-expired relationship with Mozilla, extending it to 2011. The two organizations have kept the details of the deal mum, but it is widely known that Mozilla obtains most of its revenues from Google via an agreement that makes Google search the default search mechanism in several areas of Firefox.
While we can see why, for control-freak purposes, Google might want to own its browser as it drives deeper into enterprise-applications and cloud computing, we wonder if anyone else benefits. Are the company's would-be customers, enterprises, really served by another browser that could be an entryway for hackers? Would you be happier if Google had simply put its considerable programming and security testing resources behind Firefox?
Like this post? Visit the Google Subnet home page for more news, blogs and podcasts. Sign up for the weekly Google newsletter. (Click on News/Google News Alert.)
More blog posts from Google Subnet:
- T-Mobile launches second Android phone for $199
- Nvidia disses Android, extols Windows CE for smartbooks
- Despite DOJ scrutiny, Google adds new features to Google Books
- A new browser for Androil depicts reality, improved
- Android Market: Tear Down This Wall!
- Google's days are numbered, or are they?
- Lose the beta crutch, Google, win the enterprise
Subscribe to all Google Subnet bloggers and Follow Google Subnet on Twitter
The Google Subnet blog is the official blog of Network World's Google Subnet community. Google Subnet is the independent voice of Google customers and is your gateway to daily Google news, blogs, tips and more. Visit the Google Subnet home page daily.
The Leader in Network Knowledge
Post new comment