Microsoft Issues Advisories for Chrome and Opera

Wednesday, April 20, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

Microsoft issued two security advisories this week detailing vulnerabilities discovered in the Chrome browser, and one for a flaw in the Opera browser.

The disclosures were coordinated with the respective software manufacturers, Google and Opera Software, and the advisories indicate the vulnerabilities had already been mitigated late last year.

The HTML5 vulnerability that affected both browsers could have allowed for the accessing of private information by an attacker, though it would not allow for the escalation of user privileges or the execution of code remotely.

The second vulnerability that affected only Chrome exploited a weakness in how the browser accessed memory, and could have allowed an attacker to execute code within the Google Chrome Sandbox.

Some details and links to the advisories are as follows:

HTML5 Implementation in Chrome and Opera Could Allow Information Disclosure

"In order to exploit this vulnerability, an attacker must possess the IP address of the network resource that contains the private information. In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability."

"In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites."

"Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site."

Vulnerability in Chrome Could Allow Sandboxed Remote Code Execution

"In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability."

"In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site."

"Successful exploitation of this vulnerability does not allow for code to run outside of the Google Chrome Sandbox, which is read and write isolated from the local file system, although other attacks may be possible."

Possibly Related Articles:
4430
Vulnerabilities
Google Microsoft Browser Security Vulnerabilities Opera Headlines Chrome Advisory
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.