Google Plugs Major Security Hole in Chrome

Google recently updated its Chrome browser in order to fix a major security problem. The problem affects the mainstream stable version of Chrome and is fixed in the new version 1.0.154.59.  Chrome is built to automatically update itself, so users should receive this update without having to do anything. The update will require the software to be restarted before it takes effect. Should you need to manually force the download, you can do so by clicking the wrench icon in the upper right corner of the browser, selecting About Google Chrome, and clicking Update Now.

The security problem was originally reported on April 8th by Roi Saltzman of the IBM Rational Application Security Research Group. During unreleased research, Saltzman discovered a number of security issues that reside in various parts of Google Chrome that pose a threat to any user who visits a maliciously crafted page using Internet Explorer and has Google Chrome installed. The issue allows cross-site scripting attacks that can make a Web browser process unauthorized code and enable a variety of attacks including impersonation and phishing.

Mark Larson, Google Chrome program manager, further described the problem in a blog posting:

An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.

If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice.

The attack wouldn’t work if Chrome was already running. Saltzman noted the way Internet Explorer processes URL protocol handlers has been widely used to attack other applications in the past. Saltzman praised Google for its quick response and the way in which the company handled the situation.