Google security overhaul: Chrome now blocks malicious files automatically

In decisive move on Internet security, Google has fixed five vulnerabilities in its Chrome browser and also launched a feature that blocks malicious file downloads automatically.

After announcing the feature back in October, Google made the feature available in beat form. It will now be activated by default for all Chrome users as the update to Chrome 32, known as Canary, spreads to all users.

The change is a major security upgrade for Google's Chrome browser, and represents a major move against cyber criminals who rely on users unwittingly downloaded compromised or malicious files.

In a blogpost introducing the new feature, Google VP Linus Upson said: "Online criminals have been increasing their use of malicious software that can silently hijack your browser settings. This has become a top issue in the Chrome help forums; we're listening and are here to help."

Google also fixed five separate security flaws in the browser, including one that could have been used to force the browser to sync with an attacker's Google account. The full list of patches in Chrome Canary are as follows:

  • High CVE-2013-6646: Use-after-free in web workers. Credit to Collin Payne.
  • High CVE-2013-6641: Use-after-free related to forms. Credit to Atte Kettunen of OUSPG.
  • High CVE-2013-6642: Address bar spoofing in Chrome for Android. Credit to lpilorz.
  • High CVE-2013-6643: Unprompted sync with an attacker's Google account. Credit to Joao Lucas Melo Brasio.
  • Medium CVE-2013-6645 Use-after-free related to speech input elements. Credit to Khalil Zhani.

In addition to those vulnerabilities, all of which were reported by external researchers, Google also fixed nearly 20 other flaws that were discovered during the company's internal security efforts.

Google Chrome browser has been praised for its security credentials in the past. Back in 2012, the German government recommended Chrome as the most secure browser, and particularly vaunted Chrome's anti-exploit sandbox technology - the feature which alienates the browser from the rest of the operating system, thus preventing any malicious web based elements from infecting other crucial components of the host OS.