Google has patched two serious security holes in its
Javascript and XML engines, according to ablog poston the Google Chrome website.
The post said, "A flaw in the V8 Javascript engine might allow
specially-crafted Javascript on a web page to read unauthorised
memory, bypassing security checks. It is possible that this could
lead to disclosing unauthorised data to an attacker or allow an
attacker to run arbitrary code."
Google has rated this security risk as high, because a hacker
could run malicious code within the Chrome browser.
The second flaw affects XML. Pages using XML can cause a Google
Chrome tab process to crash. A malicious XML payload may be able to
trigger a use-after-free condition. Other tabs are unaffected, said
Jonathan Conradt, engineering program manager at Google.
Chris Evans of Google's security team said neither of the flaws
have been rated as critical because Google Chrome uses a sandbox
which prevents arbitrary code from directly running on a user's
PC.