REALTIME IT NEWS
REALTIME IT NEWS
Newsletters Select newsletters below and click the button to sign up!
Internetnews BloggersRecent Entries
ArchivesMonthly ArchivesSearch The Blog
« Ulteo expands open source virtual desktop |
Sean Michael Kerner Blog
| Is Ubuntu Bigger than Debian now? »
Google Chrome updated for IE tab security issue From the 'run Microsoft, infect Google' files:
Google today updated its stable version of the Chrome browser to version 1.0.154.58 to fix a serious security issue. The 'funny' thing is the issue is triggered by Microsoft's Internet Explorer (IE) browser. The issue is very serious and according to Google could potentially enable something called universal cross-site scripting (UXSS) without a user having to do anything. According to Google's bug report on the issue: When loaded in Internet Explorer, a specially crafted HTML page can launch Google Chrome with an arbitrary URI without requiring any user interaction.That's right friends, if you run into an evil page while running IE, you could force Chrome to open up any pages an attacker wants or even arbitrary JavaScript. The flaw stems from a handling error that on the surface sounds very similar to one that Mozilla fixed back in 2007 with the 2.0.0.5 release. How could this happen in 2009 to Chrome? Is it Google's fault or Microsoft's?
If we're looking to assign blame, there is plenty to go around in my view. But let's look at Chrome specifically.
Google's advisory document on the issue notes that, "Because of a known silliness of MSIE, calls to registered URL handlers for protocols such as chromehtml: are not constructed with sufficient escaping." Basically what that means is the URI handler for Chrome, which should parse or somehow validate the incoming request did not. URI handling issues in general are serious and don't just affect IE, but also how browsers deal with QuickTime, Flash and other plug-ins as well. Firefox went through a whole period dealing with serious URI issues for IE and QuickTime in 2007 and into 2008 even. Google notes that they've dealt with other cases like this in the past but with this newly patched issue, "unescaped spaces & quotes might be used to break one parameter into several, and this would cause Chrome to open multiple tabs." The flaw does not apparently affect the dev or beta versions of Chrome, only the stable channel. So what that tells me, is that even though the stable channel is supposed to be more stable, if you're looking for the best security when running Chrome you might be better off running either the dev or beta versions. 0 TrackBacksListed below are links to blogs that reference this entry: Google Chrome updated for IE tab security issue. TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/7903 2 CommentsLeave a comment |
||
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs 
Digg
Del.icio.us
furl
StumbleUpon
BlinkList
Newsvine
Magnolia
Facebook
Tailrank
Slashdot
Technorati
Google
Bookmarks
Yahoo
Favorites
Windows
Live
Ask
I am not a computer jock.
I thought that I can trust GOOGLE and 2 days ago I installed the Google Chrome. It messed up IE and it has the protected mode: on and it slowed down my computer quite a bit and I cannot use the pulldown menu under favorites to see my bookmarks and it is very annoying for me to deal with the slownesss of my new Lap top (which was working fine until I installed Google chrome). I immediately uninstalled it and it did not change anything. How do I get it back to where it was before I installed Google Chrome ?
If anyone can help me, I appreciate it.
I tend to run betas, too, but remember that with the latest bug fixes, come the latest new bugs, too (which can also be security related).