Microsoft Vulnerability Research discovers two Chrome flaws

Microsoft's Vulnerability Research program, started on Tuesday, April 19th, has started its work with two exploits in Google's Chrome internet browser. The two bugs Microsoft discovered have since been said to have been fixed. According to Google, the bugs disclose by Microsoft are 'quite old', and were fixed by the end of last year. The specific issues Microsoft drew attention to were code-named MSVR11-001 and MSVR11-002. As Network World reports, these bugs are known for the following reasons:

MSVR11-001 could allow remote code to be executed through the sandboxing of Chrome. Microsoft have since stated the following:

”A sandboxed remote code execution vulnerability exists in the way that Google Chrome attempts to reference memory that has been freed. An attacker could exploit the vulnerability to cause the browser to become unresponsive and/or exit unexpectedly, allowing an attacker to run arbitrary code within the Google Chrome Sandbox. The Google Chrome Sandbox is read and write isolated from the local file system which limits an attacker.”

MSVR11-002 is an issue with older versions of Google Chrome, and older versions of Opera. Specifically, the two browsers that marked the end of the issue were Chrome 8.0.552.210, and Opera 10.62. This bug relates to the manner in which the two browsers handle HTML5; they deal with the code in a manner that could 'allow information disclosure'. An official Microsoft statement said the following:

“Specifically, as the World Wide Web Consortium (W3C) describes in the HTML5 specification for security with canvas elements, information leakage can occur if scripts from one origin can access information from another origin.”

The good news about both of these errors, however, is that they require quite specific circumstances to occur. For example, for any information to be leaked via HTML5 handling requires the IP address of the target, limiting the likelihood of the event happening. While these issues may appear outdated, it would appear that Microsoft is working to tighten security issues with other software existing on Windows operating systems. Opera Software and Google may have been the first targets of the Microsoft Security Research Program, though they will definitely not be the only groups to appear in the findings of the  MSVR program. Those using versions of Chrome or Opera with these problems are advised to upgrade, if only for the sake of continuing to use the most updated version of software.

Report a problem with article
Previous Story

UK High Court upholds the Digital Economy Act

Next Story

Qualcomm Q2 Profit Rises 29%

33 Comments

Commenting is disabled on this article.

soldier1st said,
I think MS is somehow trying to downplay Google and scare users so much so that they will switch from Chrome to the flawed IE.

Don't confuse fact with assumption. Unless Google denied such flaws didn't exist in Chrome, it would be a FUD by MS.

Further, I think this becomes a common practice in industry in these days where they help each other in discovering vulnerabilities in their own products. It means also a good and healthy competition.
Don't take the FUD, take the brighter side: MS has helped Google Chrome to be stronger in vulnerabilities. Isn't helping each other in need a good attitude?

I'm confused, MSVR just started in April 2011, but Microsoft reported this to google in summer 2010, and it was fixed Fall 2010? Are they simply reporting publicly what they initially reported directly to google a year ago? I clearly don't understand the MSVR program

Do people use older versions of Chrome? It updates itself so quietly I'd be surprised if someone managed/bothered to force it to only update when they wanted it to.

what said,
Do people use older versions of Chrome? It updates itself so quietly I'd be surprised if someone managed/bothered to force it to only update when they wanted it to.

Yes, I'm not sure you can even use Chrome 8, where this flaw was discovered? At least not if you are connected to the Internet. After a while, Chrome will not even wait for you to manually update, and will have updated itself at the next start.

Any Chrome 8 users here come forward.

Yeah, they do. You be surprised at the looong tail end of users not on the latest versions of Chrome. It's a small number, and I'm not sure how it occurs - but there's certainly still people using version 1 (and below!) of Chrome. (Google Analytics on a large website is my source).

what said,
Do people use older versions of Chrome? It updates itself so quietly I'd be surprised if someone managed/bothered to force it to only update when they wanted it to.

I've seen users with Chrome 2.0!

Meph said,
Shouldn't they be finding vulnerabilities in their own software?

Was thinking the same thing! Maybe they don't want to dig too deep for fear of what they might uncover

Meph said,
Shouldn't they be finding vulnerabilities in their own software?

Vulnerabilities in Chrome for Windows can be of interest since they can present an attack vector into Microsoft's software.

Meph said,
Shouldn't they be finding vulnerabilities in their own software?

Well I still give them credit for doing it responsibly instead of the way Google tried to stick it to Microsoft last year with a vulnerability Google discovered in what I think was IE 8.

Northgrove said,

Vulnerabilities in Chrome for Windows can be of interest since they can present an attack vector into Microsoft's software.

+1

Thanks for not being an idiot. These other people don't understand that Microsoft owns an operating system too.

Dead'Soul said,
its just for saying ie9 is safer

Flaws are regularly discovered in Chrome.
Flaws are regularly discovered in IE.
Flaws are regularly discovered in Firefox.
Flaws are regularly discovered in Opera.
Flaws are regularly discovered in Safari.

What matters is how many known unfixed flaws a browser has.

They want people to update their software, so that they would not blame Windows for hacks and malware problems.

This is what I read on the site:

"Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues we find, unless there is significant evidence of active attacks in the wild."

thats what i was thinking. why would they bother checking old versions

its like google saying to microsoft, hey you had a few security holes in widows 3.11

jupe said,
thats what i was thinking. why would they bother checking old versions

its like google saying to microsoft, hey you had a few security holes in widows 3.11

these were NOT old versions at the time these flaws were discovered.

actually, when chrome 6.0 was released (sept 02 2010), it was still vulnerable to this flaw even though google knew about it since the end of july when MS reported it)

then google released another minor version of chrome 6 a week later, fixing this flaw, about 50 days after being reported.

Benjy91 said,
If they'd already been patched, how did Microsoft find them?

I was wondering the same thing. Maybe there is a typo in this article?

Benjy91 said,
If they'd already been patched, how did Microsoft find them?

they have been patched BECAUSE microsoft reported them

for the google chrome flaws:
discovered around 2010-05-06:
http://www.cve.mitre.org/cgi-b...name.cgi?name=CVE-2010-1823
reported to google on 2010-07-26:
http://code.google.com/p/chromium/issues/detail?id=50250

fixed by google on 2010-09-14:
http://googlechromereleases.bl...eta-channel-updates_14.html

it's interesting to see how long it took to google to fix this flaw (they even released a vulnerable version of chrome 6.0 final on september 2nd 2010 even though they knew about this flaw)

Benjy91 said,
If they'd already been patched, how did Microsoft find them?

the reporter is biased towards google and has twisted the story. Simply:

*microsoft reported various flaws to google ages ago
(dated april 2010 -http://www.microsoft.com/techn...ty/advisory/msvr11-001.mspx)

*google took ages to fix these flaws

*now that google has fixed the problem neowin is implying that microsoft is wasting time talking about flaw which habe been fixed.

link8506 said,
Dates listed

I dunno... Going by those dates, it took almost 2 months (50 days) for Google to fix the issue after it was reported to them. However, it took Microsoft almost 3 months (81 days) to actually report it?

How long/difficult is the process of documenting a bug thoroughly? I'm sure it varies depending on the issue in question, but one would think it'd be more difficult to compile the information given in the report, work up a plan to fix the issue, and successfully implement it, would it not?

Not that it truly matters or anything given that the issue was reported and fixed, but it seems some are willing to jump the gun about the time in between the report and the fix, especially when Microsoft hasn't exactly had the best record for fixing their own known flaws in the past...