Glazunov’s feat leveraged dual Chrome vulnerabilities — one that allows a execution of capricious formula and one that bypasses a browser’s much-touted confidence sandbox, that routinely restricts such exploits.
Remote code-execution vulnerabilities, while really serious, are comparatively common in all program products. However, a sandbox shun ones are intensely singular and, according to TippingPoint, that runs a apart Pwn2Own competition during CanSecWest, are value most some-more than a US$60,000 Glazunov warranted from Google for stating it.
Both vulnerabilities leveraged by Glazunov’s feat were bound in Google Chrome 17.0.963.78, that was released on Thursday.
“We had a initial successful feat during Pwnium yesterday, and currently we’ve already rolling out an refurbish to strengthen a users,” said Sundar Pichai, Google’s comparison clamp boss for Chrome, on Thursday around his Google+ account. “The group took reduction than 24 hours from initial news to corroboration to repair growth to removing a repair out.”
Because of a Chrome’s auto-update feature, users usually need to restart their browsers in sequence to muster a confidence fix. Organizations can muster a vicious refurbish by regulating a Google Update for craving policy.
Glazunov’s was not a usually Chrome sandbox shun feat demoed during CanSecWest. A group of researchers from French confidence businessman VUPEN presented a identical attack as partial of TippingPoint’ Pwn2Own contest.
However, a Pwn2Own manners don’t need researchers to divulge sandbox-escape vulnerabilities to vendors, essentially since a esteem income wouldn’t clear their disclosure. This means that there is still one rarely vicious Chrome disadvantage out there that stays unpatched.
The Chrome confidence group suspects that it’s located in a Flash Player plug-in bundled with a browser by default and not in Chrome’s possess code. There is no acknowledgment from VUPEN per this theory, though if true, a charge of patching a disadvantage would tumble with Adobe Systems.
Article source: http://www.computerworlduk.com/news/security/3343468/google-patches-rare-critical-vulnerability-in-chrome/