Ok, the Google Chrome browser had some problems. Yet, as a Google Chrome browser enthusiast, I am always impressed by both the rarity of such problems and Google’s attention to fixing them. It may not be the only reason it is my default browser but it is certainly one of them. I am particularly pleased that their focus on keeping the user experience trustworthy includes reaching out (and giving credit to) the Chrome user community as well as Google employees. Giving credit where credit is due is important.
Thus, even before writing this, I checked to make sure I had the patches to fix 11 vulnerabilities in Chrome that were released yesterday (August 22). I did and I feel better, especially since one of the bugs identified was deemed “critical.”
Chrome vulnerabilities found and fixed
For the technically minded, the following two links will get your juices flowing.
- As cited above, Google Chrome Releases is a company blog that lists the fixes and who deserves credit and is not a bad thing to bookmark.
- Chromium Security provides information and links on how you too can be rewarded for spotting a problem.
If you are a Chrome user, you will be automatically updated, and if you wish to try Chrome, click here for the latest version for Windows XP, Vista and Windows 7, which include the fixes.
To summarize here is what just got de-bugged. It included: one that got Google’s highest risk rating of “critical," nine rated as "high" and one "medium."
As characterized in a Computerworld article, the list of vulnerabilities fixed were:
- Critical – a “memory corruption in vertex handing," referring to code that adds special effects such as textures to 3-D shapes that affected only the Windows version of Chrome.
- High —four “use-after-free” bugs that can be used to inject attack code.
- Medium — URL parsing confusion on the command line.
Keeping up with the bad guys
If you are keeping score at home, this is the second time this month Chrome has been de-bugged, and the “critical” designation is the sixth of the year. As a mandated precaution employed in all such instances, Google locked down the Chrome bug-tracking database which will remain closed until the coast is clear, e.g., most people have updated, so as to protect the entire Chrome community from being exploited because of a premature release of the specifics of the problems.
As noted above and in the various reports about this, the engagement of users through the bounty program is a key element in keeping Chrome safe. Google paid $8,337 in bounties to seven researchers from outside the company who reported eight of the vulnerabilities. It has paid out more than $120,000 so far this year.
While not a reason to quit one’s day job, bounties have proven to be an effective incentive to outsiders.
Happy browsing. Thank you Google.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO West 2011, taking place Sept. 13-15, 2011, in Austin, Texas. ITEXPO offers an educational program to help corporate decision makers select the right IP-based voice, video, fax and unified communications solutions to improve their operations. It's also where service providers learn how to profitably roll out the services their subscribers are clamoring for – and where resellers can learn about new growth opportunities. To register, click here.
Peter Bernstein is a technology industry veteran, having worked in multiple capacities with several of the industry's biggest brands, including Avaya, Alcatel-Lucent, Telcordia, HP, Siemens, Nortel, France Telecom, and others, and having served on the Advisory Boards of 15 technology startups. To read more of Peter's work, please visit his columnist page.Edited by
Rich Steeves