Google Updates Chrome for Security, IE
Nine highly critical flaws get patched in Chrome as Google's Chrome Frame hits beta.
Just two weeks after releasing its Chrome 5 browser as a stable release for Mac and Linux, Google is now providing users with an update fixing at least 11 security flaws, nine of which are rated as being highly critical -- the top level in Google's severity ratings scale.
In addition to patching security vulnerabilities with the new Chrome 5.0.375.70 release, Google (NASDAQ: GOOG) this week has also released the first beta for its Chrome Frame plug-in, which enables Microsoft Internet Explorer users to run the browser inside of its own Internet Explorer.
The Google Chrome 5.0.375.70 update, which is being made available for Linux, Mac and Windows users of Chrome, follows Apple's Safari 5 update on Tuesday. Both Chrome and Safari use the open source WebKit rendering engine, and Google said at least two of the security issues fixed in Chrome 5.0.375.70 had been identified by Apple (NASDAQ: AAPL): a pair of high memory corruption issues affecting font handling and rendering.
Google is also paying out a total of $2,500 in reward money to two different security researchers for finding high-severity bugs that have now been fixed in Chrome 5.0.375.70. Google credits researcher Sergey Glazunov with reporting a cross-origin bypass issue in Chrome's DOM, or Document Object Model. Glazunov will receive $2,000 for his efforts. A researcher that Google credits as "wushi of team 509," is being paid $500 for the discovery of a memory error in table layout.
The search giant began paying security researchers for their discoveries earlier this year, in an effort known as the Chromium Security Award.
Among the other highly critical bugs fixed in Chrome 5.0.375.70 is one that is specific to Linux only. The issue is a sandbox escape flaw that Google credits to security researcher Mark Dowd, working under contract to Google Chrome Security Team. Dowd is a security researcher known for his research into Microsoft's Killbit technology for IE, as well as for the discovery of security vulnerabilities relating to Adobe's Flash.
Dowd is also credited by Google for two other highly critical issues fixed in Chrome 5.0.375.70: a bitmap stale-pointer flaw and memory corruption in a DOM node normalization.
Chrome Frame goes beta with a security focus
While Chrome 5.0.375.70 is a standalone browser that runs on Windows, Linux and Mac, Chrome Frame enables Microsoft IE users to benefit from Chrome, too. Chrome Frame had first been announced as a developer preview in September 2009 and this week is now being updated to a beta release.
Among the early criticisms that Chrome 5 faced was that it would make IE users even less secure. That allegation was backed up by the Microsoft discovery of a security flaw in Chrome Frame in November 2009.
With the beta release of Chrome Frame, Google is aiming to provide a more stable and secure experience for users.
"Since our initial launch, we've been listening to developers: Instead of adding new bells and whistles, we've fixed more than 200 bugs to make integration with Internet Explorer seamless while improving security, stability, and performance," Google developers Amit Joshi and Alex Russell wrote in a blog post.