Google reveals Chrome security patch details

The search company was less than forthcoming earlier, arguing it didn't want to increase browsing risks for Chrome users, but now Google published patch details.

Stephen Shankland Former Principal Writer

Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.

Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials

Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.

See full bio

Stephen Shankland

Sept. 8, 2008 4:34 p.m. PT

Earlier today, Google was keeping mum about a three-day-old security fix to its Chrome browser, but now the company has revealed details of two critical-risk vulnerabilities and some lesser issues it says are fixed.

The critical patches relate to buffer overrun vulnerabilities that could have let a remote attacker execute arbitrary software on a Chrome user's computer, said Mark Larson, a Google Chrome program manager, in a mailing list posting Monday afternoon. The first patch fixed a '="http://code.google.com/p/chromium/issues/detail?id=1414" rel="">vulnerability in handling long file names, called the SaveAs vulnerability, and the second a vulnerability in dealing with the Web site addresses displayed in Chrome's status area when the user hovers over a link.

An update to Google Chrome means the browser can head off a particular technique that previously could crash the browser. — An update to Google Chrome means the browser now can head off a particular technique that previously could crash the browser. Stephen Shankland/CNET News

Larson also established a Google Chrome Releases blog for announcements and release notes relating to Chrome. The company had said earlier it was working on a way to release that information, in part after people requested such notes well after Google started automatically updating Chrome browsers without saying what exactly was in the update.

Google fixed two lesser security issues, too. First was an issue in which typing "about:%" in the address bar could crash the computer. The problem also meant that a Web page with that text as a hyperlink could crash the browser if a user hovered the mouse pointer over the link. Second was to prevent the user's desktop from being the default download directory to mitigate "the risk of malicious cluttering of the desktop with unwanted downloads, which can lead to executing unwanted files," Larson said.

Other fixes addressed non-security issues: a JavaScript problem with Facebook; a problem suggesting search terms while using various Web sites; and some data-transer issues with the Safe Browsing mode.