Both security issues that have been fixed by the developers have received a rating of high, the second highest severity rating available.

• [64046] High CVE-2011-1799: Bad casts in Chromium WebKit glue.
• [80608] High CVE-2011-1800: Integer overflows in SVG filters.

The new Chrome stable version additionally contains Adobe’s Flash Player 10.3, which has been updated to that version. While it is not explicitly mentioned on the Google Chrome Releases blog, it seems as if that version is a final build of Adobe Flash Player 10.3 and not the release candidate.

The final version has not yet been officially released by Adobe. It would not be the first time that Google, thanks to the direct tie-in of Flash Player in Chrome, managed to update Flash Player ahead of time.

The long awaited Flash Player 10.3 adds several new features to the popular software, most noticeably an option to delete so called Flash cookies from within the browser.

Google Chrome Stable users should get update notifications soon, if they have not already. Users who prefer to download Chrome from the official website can do that as well. The browser can be updated by running the installer after the download has finished.

There are probably additional reasons for a Google Chrome offline installer. There is however an easy – but somewhat hidden – option for users who want to download an offline installer for Google Chrome.

All that these users need to do is to append the parameter standalone=1 to the website where Google Chrome can be downloaded. Here are the two download links for the latest official and latest beta version of the Google browser:

Latest official: http://www.google.com/chrome/eula.html?standalone=1
Latest beta: http://www.google.com/chrome/eula.html?extra=betachannel&standalone=1

This will download the full installer of the selected Google Chrome browser to the local computer system. It is then possible to install Google Chrome without Internet connection by simply distributing the offline installer to the computer system where it should be installed.

The Google Chrome developers mentioned that it might not be possible to auto-update these versions of the Google Chrome browser. The auto update service should however be active when downloading the offline installers. They should work normally if an Internet connection is present to check for updates.

A flaw in the V8 Javascript engine might allow specially-crafted Javascript on a web page to read unauthorized memory, bypassing security checks. It is possible that this could lead to disclosing unauthorized data to an attacker or allow an attacker to run arbitrary code.

The second security vulnerability can also allow an attacker to run arbitrary code in the Google sandboxed environment. A malicious XML payload may be able to trigger the condition.

Pages using XML can cause a Google Chrome tab process to crash. A malicious XML payload may be able to trigger a use-after-free condition. Other tabs are unaffected.

The security fix finally treat SSL sites who use MD2 or MD4 hashes to sign certificates as invalid as the algorithms are considered weak and can allow attackers to spoof the https site.

Google Chrome no longer connects to HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms. These algorithms are considered weak and might allow an attacker to spoof an invalid site as a valid HTTPS site.

Users can check for updates from within the web browser or download the latest version from the Google Chrome website.