Google Chrome glitch patched

Feeling vulnerable

By Sylvie Barak

Fri Apr 24 2009, 10:11

JUST A DAY after Mozilla patched up Firefox, Google is doing the same with its Internet browser, Chrome, in order to deal with a particularly nasty security glitch.

The bug, which only affects the mainstream, stable version of the browser, was discovered by an IBM staffer by the name of Roi Saltzman, who discovered a major vulnerability to cross-site scripting attacks.

Google_chrome_logo_150x149

The flaw meant users with Google Chrome installed on their machines, who haplessly stumbled across an attacker-controlled web site whilst using alternative browser Internet Explorer, caused Chrome to launch itself, open a gaggle of tabs, then load and run scripts after navigating to a URL of the attacker's choice.

Google Chrome programme manager, Mark Larson, said in a blog post that the problem was "An error in handling URLs with a chromehtml: protocol".

He added the error "could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions".

The attack could only work if Chrome was installed on the target system but not actually running at the time.

Google's new version of its browser (1.0.154.59) updates automatically, so users don't need to download the fix themselves. µ

Tags: Google

Google touts website prefetching with Chrome 17 Increases bandwdith usage in the pursuit of speed Thursday, 9 February 2012, 13:57 PM Read more	The INQUIRER review of the year A look back at the big news stories of 2011 Friday, 23 December 2011, 08:00 AM Read more
Google's Chrome 15 update fixes bugs Tabs page added to Chrome web browser Wednesday, 26 October 2011, 12:32 PM Read more	Chrome update fixes a critical vulnerability Bundles Flash Player 11 Wednesday, 5 October 2011, 12:25 PM Read more
MSE false positive detection forces Google to update Chrome Faulty antivirus blocks web browser Monday, 3 October 2011, 12:13 PM Read more	Microsoft and Mozilla ban Dutch government root certificate PKIoverheid is no more Wednesday, 7 September 2011, 14:35 PM Read more

< Previous article| Next article >

Comments

There are no comments submitted yet. Do you have an interesting opinion? Then be the first to post a comment.

INQ White papers

Databases

Network management

Security

Service oriented architecture

Storage

INQ Jobs

Pricing Manager- Financial

Pricing Manager- Financial ...

INQ Poll

Authorities in several countries raided Megaupload recently, shut down all of its services, seized hundreds of servers and arrested several of its executives on criminal charges.

Do you think the move was justified?

Yes, companies should suffer an immediate death penalty upon being accused of copyright infringement.

Yes, the coppers said the company was breaking the law so it must be guilty.

No, the company and the people accused are innocent until proven guilty.

No, the company had millions of customers who have been harmed by having access to their data files cut off.

I don't care, I never used Megaupload anyway.

View other polls

© Incisive Media Investments Limited 2012, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093

SEARCH :

Site Credentials:

Business & Technology websites:

Business research resources:

Products:

Investment Market IT websites:

Find out what you are worth:

Salary Calculator

Search for a job:

Recruitment Agency A-Z Directory

Accreditations:

Digital Publisher of the Year 2010

Google Chrome glitch patched

Share this:

RIM Playbook OS 2.0 and Blackberry 7.1 video demo

Nokia Lumia 710 video review