googlechromologo.jpg
From the 'run Microsoft, infect Google' files:

Google today updated its stable version of the Chrome browser to version 1.0.154.58 to fix a serious security issue. The 'funny' thing is the issue is triggered by Microsoft's Internet Explorer (IE) browser.

The issue is very serious and according to Google could potentially enable something called universal cross-site scripting (UXSS) without a user having to do anything.

According to Google's bug report on the issue:
When loaded in Internet Explorer, a specially crafted HTML page can launch Google Chrome with an arbitrary URI without requiring any user interaction.
That's right friends, if you run into an evil page while running IE, you could force Chrome to open up any pages an attacker wants or even arbitrary JavaScript. The flaw stems from a handling error that on the surface sounds very similar to one that Mozilla fixed back in 2007 with the 2.0.0.5 release.

How could this happen in 2009 to Chrome? Is it Google's fault or Microsoft's?

If we're looking to assign blame, there is plenty to go around in my view. But let's look at Chrome specifically.

Google's advisory document on the issue notes that, "Because of a known silliness of MSIE, calls to registered URL handlers for protocols such as chromehtml: are not constructed with sufficient
escaping."

Basically what that means is the URI handler for Chrome, which should parse or somehow validate the incoming request did not. URI handling issues in general are serious and don't just affect IE, but also how browsers deal with QuickTime, Flash and other plug-ins as well. Firefox went through a whole period dealing with serious URI issues for IE and QuickTime in 2007 and into 2008 even.

Google notes that they've dealt with other cases like this in the past but with this newly patched issue, "unescaped spaces & quotes might be used to break one parameter into several, and this would cause Chrome to open multiple tabs."

The flaw does not apparently affect the dev or beta versions of Chrome, only the stable channel.

So what that tells me, is that even though the stable channel is supposed to be more stable, if you're looking for the best security when running Chrome you might be better off running either the dev or beta versions.

Article courtesy of InternetNews.com.



Loading Comments...

Comment and Contribute
Displayed next to your comment