Google has fixed five vulnerabilities in its Chrome browser and also has activated a feature that will block malicious file downloads automatically. The change is a major security upgrade for Chrome and will help prevent users from unwittingly downloading harmful files, an attack vector that attackers count on for the success of drive-by downloads and other attacks.
Attackers rely on their ability to install files on victims’ machines, either with the cooperation of the user or through an automatic download in the background. That’s the essence of many Web-based attacks today and the change in Chrome will give users an extra layer of protection, even if they happen to click on a malicious file or visit a site that’s serving malware.
Along with that change to Chrome’s security, Google also fixed five separate security flaws in the browser, including one that could have been used to force the browser to sync with an attacker’s Google account. Here’s the list of the vulnerabilities patched in Chrome 32:
- [$1000][249502] High CVE-2013-6646: Use-after-free in web workers. Credit to Collin Payne.
- [$1000][326854] High CVE-2013-6641: Use-after-free related to forms. Credit to Atte Kettunen of OUSPG.
- [$1000][324969] High CVE-2013-6642: Address bar spoofing in Chrome for Android. Credit to lpilorz.
- [$5000][321940] High CVE-2013-6643: Unprompted sync with an attacker’s Google account. Credit to Joao Lucas Melo Brasio.
- [318791] Medium CVE-2013-6645 Use-after-free related to speech input elements. Credit to Khalil Zhani.
In addition to those vulnerabilities, reported by external researchers, Google also fixed nearly 20 other flaws that were discovered during the company’s internal security efforts.