Microsoft's Vulnerability Research program, started on Tuesday, April 19th, has started its work with two exploits in Google's Chrome internet browser. The two bugs Microsoft discovered have since been said to have been fixed. According to Google, the bugs disclose by Microsoft are 'quite old', and were fixed by the end of last year. The specific issues Microsoft drew attention to were code-named MSVR11-001 and MSVR11-002. As Network World reports, these bugs are known for the following reasons:
MSVR11-001 could allow remote code to be executed through the sandboxing of Chrome. Microsoft have since stated the following:
”A sandboxed remote code execution vulnerability exists in the way that Google Chrome attempts to reference memory that has been freed. An attacker could exploit the vulnerability to cause the browser to become unresponsive and/or exit unexpectedly, allowing an attacker to run arbitrary code within the Google Chrome Sandbox. The Google Chrome Sandbox is read and write isolated from the local file system which limits an attacker.”
MSVR11-002 is an issue with older versions of Google Chrome, and older versions of Opera. Specifically, the two browsers that marked the end of the issue were Chrome 8.0.552.210, and Opera 10.62. This bug relates to the manner in which the two browsers handle HTML5; they deal with the code in a manner that could 'allow information disclosure'. An official Microsoft statement said the following:
“Specifically, as the World Wide Web Consortium (W3C) describes in the HTML5 specification for security with canvas elements, information leakage can occur if scripts from one origin can access information from another origin.”
The good news about both of these errors, however, is that they require quite specific circumstances to occur. For example, for any information to be leaked via HTML5 handling requires the IP address of the target, limiting the likelihood of the event happening. While these issues may appear outdated, it would appear that Microsoft is working to tighten security issues with other software existing on Windows operating systems. Opera Software and Google may have been the first targets of the Microsoft Security Research Program, though they will definitely not be the only groups to appear in the findings of the MSVR program. Those using versions of Chrome or Opera with these problems are advised to upgrade, if only for the sake of continuing to use the most updated version of software.