Webkit is the foundation of Apple Safari and Google Chrome. Yesterday both companies announced security patches for their browsers, many related to Webkit. Here is a sample of just one from the Apple Safari update page.
WebKit
CVE-ID: CVE-2010-1398
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit’s handling of ordered list insertions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of list insertions. Credit to wushi of team509, working with TippingPoint’s Zero Day Initiative for reporting this issue.
Compare that with the format for the same bug on the Google Chrome update page.
[43487] High Memory corruption in text transforms. Credit to wushi of team509.
That is it, just one line. 43487 looks like a tracking reference number that is internal to Google. I gathered this bug is the same one as the the one above from the credit reference to wushi. No CVE? No platform reference? I clicked on the number 43487, which points to code.google.com, so I could read more and confirm details…
Your client does not have permission to get URL /p/chromium/issues/detail?id=43487 from this server.
This is not very impressive. Moreover, it is inconsistent from earlier Chrome security notices that were done well. June 9, 2009 for example explained two WebKit security patches. Here is the first one:
Google Chrome’s Stable channel has been updated to version 2.0.172.31 to fix two security issues in WebKit.
CVE-2009-1690 Memory corruption
A memory corruption issue exists in WebKit’s handling of recursion in certain DOM event handlers. Visiting a maliciously crafted website may lead to a tab crash or arbitrary code execution in the Google Chrome sandbox. This update addresses the issue through improved memory management.Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.
Mitigations:
* A victim would need to visit a page under an attacker’s control.
* Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.
That was more like a normal patch announcement and clearly more useful.
Apple did a nice job. Why did Google switch to the weaker format and use internal links? Interesting also to note that the thing getting attention is not how little information they give but that they paid a $2000 bounty for just one flaw.
[$2000] [39985] High Cross-origin bypass in DOM methods. Credit to Sergey Glazunov.
One thought on “Google Chrome Vulnerability Disclosures”