also @ TechSpot: Apple's iOS 7 to be "black, white and flat all over"

Microsoft Vulnerability Research discovers two Chrome flaws

By Steven Parker

On April 21, 2011, 11:00 AM

Microsoft's Vulnerability Research program, started on Tuesday, April 19th, has begun its work with two exploits in Google's Chrome internet browser. The two bugs Microsoft discovered have since been reportedly fixed. According to Google, the bugs disclose by Microsoft are 'quite old', and were fixed by the end of last year. The specific issues Microsoft drew attention to were code-named MSVR11-001 and MSVR11-002. As Network World reports, these bugs are known for the following reasons:

MSVR11-001 could allow remote code to be executed through the sandboxing of Chrome. Microsoft have since stated the following:

”A sandboxed remote code execution vulnerability exists in the way that Google Chrome attempts to reference memory that has been freed. An attacker could exploit the vulnerability to cause the browser to become unresponsive and/or exit unexpectedly, allowing an attacker to run arbitrary code within the Google Chrome Sandbox. The Google Chrome Sandbox is read and write isolated from the local file system which limits an attacker.”

MSVR11-002 is an issue with older versions of Google Chrome, and older versions of Opera. Specifically, the two browsers that marked the end of the issue were Chrome 8.0.552.210, and Opera 10.62. This bug relates to the manner in which the two browsers handle HTML5; they deal with the code in a manner that could 'allow information disclosure'. An official Microsoft statement said the following:

“Specifically, as the World Wide Web Consortium (W3C) describes in the HTML5 specification for security with canvas elements, information leakage can occur if scripts from one origin can access information from another origin.”

Read the rest of the article
- This article is brought to you in partnership with Neowin.net

,

11 comments

User Comments: 11

Got something to say? Post a comment
  1. April 21, 2011 11:17 AM
    lawfer, TechSpot Paladin, said:

    Not to to sound grumpy or anything, but why publish this if these issues were already fixed? Chrome is very secure, but not invulnerable; that's a given with pretty much any software. How is this any different than publishing an article about 2 bugs Microsoft found in Firefox, which have been fixed a year ago, for example? In that example, and in this case, I just don't see the... how should I put it? Well, relevance.

    Reply
  2. April 21, 2011 11:25 AM
    mattfrompa
    mattfrompa said:

    Now let's talk about IE...

    Reply
  3. April 21, 2011 12:04 PM
    example1013 said:

    So bugs from 2 release cycles ago make news...?

    Reply
  4. April 21, 2011 12:55 PM
    Guest said:

    Are they aware this will eventually backfire at them?

    Nonetheless, fair competition is always welcome and will benefit everyone in the end.

    Reply
  5. April 21, 2011 12:55 PM
    dunebeetle said:

    This news article makes me think I'm reading a tabloid...

    Reply
  6. April 21, 2011 1:18 PM
    captaincranky
    captaincranky, TechSpot Addict, said:

    This news article makes me think I'm reading a tabloid...
    You are reading a tabloid, electronically!

    Reply
  7. April 21, 2011 1:36 PM
    madboyv1, TechSpot Paladin, said:

    I think the point is that both exploits were reported as fixed but MVR is saying they are working with the exploits *now*, not that they are messing with exploits from old builds (as doing so is more or less pointless since chrome auto-updates all the time). But there is a bit to be desired regarding the explaination of what they're actually saying.

    Reply
  8. April 21, 2011 2:16 PM
    captaincranky
    captaincranky, TechSpot Addict, said:

    If if serves no other purpose, it lets people know that flaws were actually found. M$ is good about the open remediation of its vulnerabilities. Other business models may vary, such as fixing flaws, and not telling users they were ever there.

    Reply
  9. April 21, 2011 2:53 PM
    Saturday said:

    The fact that Microsoft is willing to spend time looking into exploits on a competitors browser, while still having one of the most easily exploitable browsers of their own, is pretty sad.

    Reply
  10. April 21, 2011 6:57 PM
    IAMTHESTIG said:

    How about fixing your own software first Microsoft?

    Reply
  11. April 22, 2011 6:16 AM
    Archean
    Archean, TechSpot Paladin, said:

    @Captain

    Exactly, you said 'others' but I always suspect Google 'silently' patches up its baby, and tell us 'it has released a new version' ...... how convenient !

    Reply

Recently commented stories

Post a new comment

Social Login & Guest Posting TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.
TechSpot on:

Most Popular

Trending Featured
More Trending Topics

Featured on Laptops

Downloads and Drivers

Downloads   Drivers  

KiTTY 0.62.2.3

mIRC 7.32

Actual Bookmarks 1.2

World of Warcraft Patch 5.3.0

Funny Photo Maker 2.4.1

More Downloads

Latest Discussion

Wireless capability keeps turning off 21 replies on Storage and Networking

Need advice on router-buy 10 replies on Storage and Networking

Zotac gtx 660 fan problem 6 replies on Audio and Video

Overclocking i7-3770k, question about speedfan 7 replies on Overclocking, Cooling and Modding

Upgrading my computer 8 replies on Processors and Motherboards

More Recent Discussion

Subscribe to TechSpot

Get free exclusive content, learn about new features and breaking tech news.