Mozilla credited with discovering exploitable Google Chrome 2 flaw
Google is not saying much today about a flaw discovered in the V8 JavaScript engine of its Chrome 2 stable Web browser, one which triggered an update that is being rolled out to Chrome users today. Amid what it is sharing today, however, is a surprising fact: Mozilla Security is being credited with the discovery.
Malicious JavaScript, Google says, can cause the Chrome browser to run arbitrary code, although that code may still be protected by the browser's "sandbox" -- its protected area of memory where running code has no access to system resources. However, it's conceivable that code running within the sandbox could provoke the user (by social means, perhaps by feigning a crash or system bug) to perform an action that may trigger a more damaging process delivered through a different payload, so Google treated the issue with a "High" severity rating.
On the one hand, it's conceivable that Mozilla's security team may be testing other brands of open source browsers for the same possible exploits for which it's testing various releases of Firefox. But a more plausible story is that a derivative of a Firefox bug that had already been reported or discovered by Mozilla's security team, was tried by Mozilla or Google on a Chrome browser, with the same detrimental results.
If that's the case, then the last Firefox bug to match the vague profile that Google's presented thus far is a Firefox 3.0.11 bug found last June 11 by legendary Firefox security contributor moz_bug_r_a4. Now, "chrome" in the Firefox vernacular is a term that predates "Chrome" as Google's browser brand name; Mozilla uses it to refer to the class of code that presents the on-screen appearance and controls for the browser, along with the elevated privilege that JavaScript code is granted to put them there. This way, JavaScript based in Web pages can't change the browser to the same extent that an add-on can.
On the surface, moz_bug_r_a4 had found a JavaScript bug that could lead ordinary code to be executed with "chrome privilege" -- again, nothing to do with Google Chrome, but with the keys to the browser interface being unlocked. More specifically, what he discovered and immediately reported was that a JavaScript object was being created in the middle of data instead of in protected memory, creating the possibility that a reference to a property of that object would move a pointer into that data, maybe triggering a crash or fault, and leaving that pointer open to exploitation and possible code execution.
Google promises to go in-depth about its own V8 JavaScript bug once it's determined that enough Chrome 2 users have installed the update.