14 DAY TRIAL // While working in parallel on a number of browser releases, Google has updated version 2.0 of Chrome, in a move to provide additional security to end users. In this context, users can now download Google Chrome Build 2.0.172.43. Version 2.0 of the open-source browser from Google is also the only stable version of Chrome. In parallel, the Mountain View-based search giant is also developing Chrome 3.0 and Chrome 4.0, available through the Beta and the Developer channels, respectively.
As an integral part of the security enhancements and patches introduced by Google Chrome 2.0.172.43, the browser no longer plays nice with weak signatures, treating them as invalid instead. “Google Chrome no longer connects to HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms. These algorithms are considered weak and might allow an attacker to spoof an invalid site as a valid HTTPS site,” revealed Jonathan Conradt, engineering program manager. “Further advances in attacks against weak hashing algorithms may eventually permit attacks to forge certificates,” he warned.
In addition to improvements to the way that Chrome deals with websites still using MD2 or MD4 hashing algorithms, the company has also introduced a few security updates for vulnerabilities in the browser. A patch was provided for the “unauthorized memory read from Javascript” security flaw discovered by Mozilla. Users of Chrome versions earlier than 2.0.172.43 are at risk of attackers running arbitrary code in the Google Chorme Sandbox in the eventuality that they will visit a malformed website.
“A flaw in the V8 Javascript engine might allow specially-crafted Javascript on a web page to read unauthorized memory, bypassing security checks. It is possible that this could lead to disclosing unauthorized data to an attacker or allow an attacker to run arbitrary code,” Conradt noted.
In addition, Google Chrome 2.0.172.43 patched a vulnerability associated with stack consumption in libxml2 and also multiple use-after-free vulnerabilities in libxml2. “Pages using XML can cause a Google Chrome tab process to crash. A malicious XML payload may be able to trigger a use-after-free condition. Other tabs are unaffected,” Conradt added. “A victim would need to visit a page under an attacker's control. Any code that an attacker might be able to run inside the renderer process would be inside the sandbox.”
End users are of course advised to download and install the latest release of Google Chrome as soon as possible. At the same time, it is recommended that they run 2.0.172.43 or later, and that only beta testers and developers use versions 3.0 and 4.0.
The latest release of Google Chrome is available for download here.