Friday, 13 May 2016

On 02:50 by admin   No comments
Recently, the Google company issued a statement, urging the majority to usethe Windows , the Mac the OS and Linux user's operating system, to update themselves on the terminal as soon as Chrome browser version, in order to eliminate the 5 security risks a vulnerability. It has been exposed for 5vulnerabilities, where there are 2 threat highest. Wednesday time, the Googlereleased the Chrome latest version of the browser ( 50.0.2661.102 ), and remind users need to give attention to the vulnerability.

Chrome in these 5 vulnerabilities by companies from Google Google's Chromium Project project team, the bug Bounty Program (Vulnerability hunting team) of 4 in R & D personnel ( the Google company will call them "loophole hunter") found. In this loophole hunter team, one from Poland, named Mariusz Mlynski security researcher, because he found the Chrome two critical vulnerabilities that exist in the browser, access to the Google company 15500dollar reward, which aroused attention.

Chrome One loophole is Mlynski found in CVE-2016-1667 . Mlynski be interpreted as the DOM (document object type) bypass vulnerability homology (Same Origin Bypass in the DOM ). Compared to other 4 vulnerabilities, it is extremely threatening. The vulnerability is based on the Chrome browser DOMinternet. A remote attacker could exploit the vulnerability by bypassing undefined vector HTML or XML homologous protection policy, and then attack the user.Since the discovery of this vulnerability, Mlynski received 8000 US dollars reward.

Mlynski discovered a second vulnerability is CVE-2016-1668 , which he described as a bypass homologous Blink V8 engine binding protection ( Same Origin Bypass in Blink V8 Bindings ). This vulnerability found to Mlynski brought7500 dollars in revenue. A remote attacker could exploit the vulnerability through a carefully crafted website to bypass Blink V8 homologous Protection Engine. V8engine is Chromium Project team for the Chrome browser development of an open-source JavaScript plug-in engine.

Mlynski is an experienced hunter loophole, he worked at Pwn2Own Contesthave been hacking contest and so on outstanding performance.

Another security researcher Choongwoo Han discovery of CVE-2016-1669vulnerability, and won the 3000 Meiyuan bonus. The vulnerabilities could cause the V8 engine buffer overflow. This vulnerability also has a very strong destructive power. Hackers by the vulnerability, the target system denial attacks, so that in a short time can not respond to commands from the user.

In the two remaining vulnerabilities, one was destroyed loader operating conditions ( Race condition in Loader , CVE-2016-1670 ), by an anonymous hunter discovered vulnerabilities. He won 1337 dollars. Another threatening Vulnerability ( CVE-2016-1671 ) is a researcher Jann Horn discovered, he will be referred to: In the Android system can traverse the file directory, feel free to browse the file system. He has received a 500 Meiyuan reward.

Google said it completed most users Chrome during the version update, we will continue to disclose more about these 5 details of vulnerabilities, as well as related research fellows.


Post a comment