Google updated its Chrome Web browser for the second time in a week late Friday, fixing at least three new security vulnerabilities. In addition to the security fixes with its own code, the Chrome 6.0.472.62 release for Windows, Linux and Mac also provides an integrated fix for an Adobe Flash plugin flaw, ahead of all other major browser vendors.
The Chrome 6.0.472.62 update follows the Chrome 6.0.472.59 update, which fixed at least?nine flaws in the browser.
One of the key fixes in the new Chrome release is the updated Flash player plugin. Google has been directly integrating the Adobe Flash Player into the Chrome browser since the Chrome 5.0.375.8 update in June. Unlike all other browsers, Google includes Adobe Flash as part of the browser as opposed to it being a separate and distinct add-on that users need to download, install and update.
Adobe issued an advisory on Sept. 13 for a critical vulnerability in its Flash Player that could enable an attacker to crash a vulnerable system and potentially take control of the system. Adobe is planning to issue an update for Flash Player on Windows, Macintosh and Linux today. The included fix for Chrome users became available late Friday, ahead of users for every other implementation of the Flash Player.
In addition to the Adobe fix, Chrome 6.0.472.62 fixes a malformed SVG graphics issue. The SVG graphics issue was reported by security researcher “wushi” who was awarded $500 for the disclosure. Security researcher Stefano Di Paola is being awarded $1,000 for a cross-origin property pollution security risk. Google pays out awards to security researchers as part of the Chromium Security Award initiative, which pays out cash rewards for security disclosures.
While Google benefits from the reports of third-party security researchers, their own researchers are also actively working on securing Chrome. Google security researcher Ron Ten-Hove is credited with a critical flaw discovery in a buffer mismanagement issue related to the SPDY protocol supported by Chrome. SPDY (pronounced, “Speedy”) is a new open source application layer protocol developed by Google to help accelerate Web traffic.
Follow eSecurityPlanet on Twitter @eSecurityP.