Google Fixes Chrome for IE Vulnerability
Google fixed a security vulnerability that, oddly, involved a hole in IE.
Google today updated its stable version of the Chrome browser to version 22.214.171.124 to fix a serious security issue. The 'funny' thing is the issue is triggered by Microsoft's Internet Explorer (IE) browser.
The issue is very serious and according to Google could potentially enable something called universal cross-site scripting (UXSS) without a user having to do anything.
According to Google's bug report on the issue:
How could this happen in 2009 to Chrome? Is it Google's fault or Microsoft's?
Google's advisory document on the issue notes that, "Because of a known silliness of MSIE, calls to registered URL handlers for protocols such as chromehtml: are not constructed with sufficient
Basically what that means is the URI handler for Chrome, which should parse or somehow validate the incoming request did not. URI handling issues in general are serious and don't just affect IE, but also how browsers deal with QuickTime, Flash and other plug-ins as well. Firefox went through a whole period dealing with serious URI issues for IE and QuickTime in 2007 and into 2008 even.
Google notes that they've dealt with other cases like this in the past but with this newly patched issue, "unescaped spaces & quotes might be used to break one parameter into several, and this would cause Chrome to open multiple tabs."
The flaw does not apparently affect the dev or beta versions of Chrome, only the stable channel.
So what that tells me, is that even though the stable channel is supposed to be more stable, if you're looking for the best security when running Chrome you might be better off running either the dev or beta versions.
Article courtesy of InternetNews.com.