On the other day when starting my PC, a small window popped up.
An update of Google Chrome is available
Install the update
Remove Google Chrome
Due to the new Google Privacy conditions and personal integrity I become reluctant to use Google products so I decided to “Remove the Google Chrome”. But, the question is why Google propose to remove or update?
At HP founded live hack last year Google Chrome could stand against the hacks. But this year on March 7-9 it showed that Google Chrome was the first browser which failed during the first 5 minutes of the live attacks. Google founded $1.000.000 for people who can demonstrate the vulnerabilities in Chrome and as it shows the following screenshot $60.000 will go to Sergey Gazunov for his two critical submissions against the most recent version of Google Chrome (i.e. zero day).
VUPEN another team of hackers from France who obviously sells vulnerabilities and exploits to the “government customers”, used two zero days and could take down Google Chrome in 64-bits Windows 7 with the latest patches. They were able to completely taking over the system without any user interaction!!! I am sure they could able to cash some of the reward money from Google
But don’t panic according to Google the Chrome update 17.0.963.78 has already the necessary patches.
What about other browsers?
Well, according to VUPEN co-founder and head of research Chaouki Bekrar his team
equipped for zero-day flaws for all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox. “….but he said the decision to go after Chrome first was a deliberate tactic.” “We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year…”
Later on VUPEN demonstrated a Zero-Day for Internet Explorer including a Protected Mode bypass. IE9 on W7 completely owned.
Video at YouTube shows how Chorme is hacked
What about Adobe?
Adobe has fixes to handle Flash Player. Flash Player 22.214.171.124 contains priority 2 updates that address critical vulnerabilities on Windows, Macintosh, Linux, Android 4.x, and Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
Specifically the update fixes memory corruption vulnerability in Matrix3D that could lead to code execution (CVE-2012-0768) and a resolves integer errors that could lead to information disclosure (CVE-2012-0769). Adobe are recommending that users should install the update within 30 days. This is because there are currently no known exploits and based on previous experience, Adobe do not anticipate exploits are imminent
AFFECTED SOFTWARE VERSIONS
- Adobe Flash Player 126.96.36.199 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 188.8.131.52 and earlier versions for Android 4.x
- Adobe Flash Player 184.108.40.206 and earlier versions for Android 3.x and 2.x
The new version is available from Flash Player Download Center.
What about Mac?
Apple has released iOS 5.1 for the iPhone 3GS, 4 and 4S, the 3rd and 4th generation iPod touch, and all of its iPad models. About 90 fixes for security especially for browsing functions, some may relates to the Chrome security issues were identified and fixed in iOS5.1.
It is your system, your data, your browser
In my understanding you may have favourite browser and would not change it for any reason. Well, it sounds ok but don’t forget to continuously update your OS, browser, … and may need to listen to rumours about security. Then you have enough information to take the necessary actions.