May 13, 2011 14:55 GMT  ·  By

Google has updated Chrome to version 11.0.696.68 in order to address two high-risk vulnerabilities and include the new Flash Player 10.3 plug-in.

Both vulnerabilities were discovered internally by members of the Google Chrome Security Team so no rewards were offered in this release.

One of the flaws, CVE-2011-1799, consists of bad casts in code linking Chromium and WebKit, while the other, CVE-2011-1800, concerns integer overflows in SVG filters.

"This version also contains Flash Player 10.3 which is an incremental release with improved stability, enhanced security and user privacy protection, and new capabilities for enterprise and developers," the release announcement reads.

For its part, Adobe Flash Player 10.3 addresses a number of eleven vulnerabilities, ten of which are rated as critical and allow for arbitrary code execution.

Another important change is that it integrates with browser privacy controls and allows Chrome users to clear Flash local storage objects (Flash cookies) directly from the browser's interface.

Under normal circumatances, updating Flash Player is very important because outdated plug-ins are regularly targeted in web-based attacks, however, its impact is lower in Chrome.

Google's browser comes bundled with a Flash Player plug-in created in collaboration with Adobe which runs under its native sandbox. This kind of isolation makes it very hard for hackers to execute code on the underlying system if a Flash Player vulnerability is exploited.

The sandbox is not an impenetrable shield, but to date only one working attack against it has been developed. It was recently announced by French vulnerability research outfit VUPEN and consists of very sophisticated code that chains several exploits together.

Google has not yet patched the vulnerabilities targeted in VUPEN's attack, because the security firm only shared details about them with its paying government customers. Google will probably be notified at a later time.