Google patches "severe" Chrome bug

 

Gallery

By Barry Collins

Posted on 24 Apr 2009 at 08:45

Google has patched a bug in its Chrome browser that allowed attackers to perform cross-site scripting attacks.

The flaw was discovered earlier this month by an IBM security researcher and was patched last night, with the release of Chrome version 1.0.154.59.

"An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions," Chrome program manager Mark Larson explains.

"If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice. Such an attack only works if Chrome is not already running."

Chrome users should receive the update automatically, but can force an upgrade by clicking on the Tools menu, selecting About Google Chrome and pressing the Update Now button.

Earlier this week Google unveiled its vision of the 3D web, with a series of demonstrations showing how it's possible to run 3D games and animations from within the Chrome browser.