Google is updating the stable version its Chrome Web browser for Window users this week, releasing version 220.127.116.116 with at least eight patches for vulnerabilities that could have left users at risk of being exploited.
Security rating firm Secunia identified the vulnerabilities that Chrome is being updated for as “highly critical.” Google itself specifically identified five of the vulnerabilities with the rating of “high” — both the second-highest severity rating for each.
Google is not publicly providing any significant detail about its highly rated vulnerabilities other than to provide the names of the fixed issues.
“Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix,” Google wrote on the Chrome release blog.
The Chrome update comes at time when browser vendors are racing to fix vulnerabilities prior to the pwn2own hacking contest next week. Pwn2own occurs within the CanWestSec security conference in Vancouver, Canada, and provides participants with up to $100,000 of prize money for successfully exploiting technology. Part of the pwn2own contest involves a browser security event in which security experts aim to exploit browsers.
During the 2009 pwn2own event, all of the tested browsers, including Safari, Microsoft Internet Explorer and Mozilla Firefox, suffered exploits at the event.
WebKit and other Chrome vulnerabilities
WebKit is the core rendering engine used by both Chrome as well as Apple’s Safari Web browser. Safari was updated earlier this month to version 4.0.5, fixing 16 flaws in total, with nine fixes targeting a variety of security vulnerabilities in WebKit.
Unlike Apple, which provides industry-standard CVE (Common Vulnerabilities and Exposures) identifiers for its vulnerabilities, Google’s 18.104.22.1686 Chrome update does not, making it difficult to determine whether Google is fixing the same flaws fixed by Apple.
In addition to the WebKit flaw, Chrome 22.214.171.1246 provides other fixes for which Google paid out reward money — a memory error and a cross-origin bypass flaw.