New Chrome Version Plugs Major Security Hole

Posted 04/24/2009 at 7:13am | by Paul Lilly

0

Comments

Print

Google yesterday made available an updated version of its Chrome browser to prevent cross-scripting attacks, whereby visiting a malicious site with Internet Explorer could cause Google Chrome to fire up, open a bunch of tabs, and load harmful scripts.

"An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions," Mark Larson, Google Chrome program manager, wrote in a blog post. "If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scrips that run after navigating to a URL of the attacker's choice."

The attack wouldn't work if Chrome was already running, Larson added. A new version of Chrome -- 1.0.154.59 -- is now available and will prevent the attack from working regardless. The update is supposed to be rolled out automatically, but in our case, we had to manually force the download. You can do so by clicking on the wrench icon in the upper right corner, select 'About Google Chrome,' and click on Update Now.