Actively Exploited Flash Player Vulnerability Patched in Chrome

Google has released a new version of Chrome, which fixes a Flash Player vulnerability currently exploited in the wild, even though an official patch from Adobe is not expected until Monday.

Google Chrome 6.0.472.62 has been pushed to the Stable and Beta channels for Windows, Linux and Mac, as well as the Beta channel for Chrome Frame.

The change that stands out in this release is an updated version of the embedded Flash Player plugin, which addresses a critical remote code execution flaw.

The vulnerability, identified as CVE-2010-2884, has been reported as a zero-day earlier this week. Adobe plans to patch it on Monday, September 20, in a new version of Flash Player.

Chrome 6.0.472.62 also addresses three other critical and high risk security vulnerabilities in the browser itself.

The critical one is described as a buffer mismanagement in the SPDY protocol and was discovered by Google's own engineer Ron Ten-Hove.

The other two bugs are a bad cast with malformed SVG credited to wushi of team 509, who was awarded $500 for the discovery, and a cross-origin property pollution, which earned researcher Stefano Di Paola of MindedSecurity $1,000 through Google's vulnerability reward program.

Adobe has updated its security advisory to let users know that a fix for the Flash Player vulnerability is available in Chrome.

Since June, Google Chrome ships with Flash Player integrated, allowing it to make use of the new Pepper Plugin API (PPAPI).

In the future this is expected to enable Flash content to run inside a sandboxed environment, thus making it significantly harder to exploit arbitrary code execution bugs.

Chrome users can check if they're running the latest version of the browser by clicking the wrench icon located next to the address bar and selecting "About Google Chrome."

Google Chrome 6.0.472.62 for Windows can be downloaded here.