RE: Security is safe in Google's hands
The disclosure does say "An attacker might be able to run arbitrary code within the Google Chrome sandbox." *Within the sandbox* is the important part, and means that the attacker's code is severely hampered and would have to exploit some sort of privilege escalation within windows to get out and touch the user's (or the system's) files or network connection. This is good because the attacker would have to have two working zero-day exploits (one in chrome and one in windows) to have a chance of attacking an uptodate system.