Google fixes severe Chrome security hole

Google released a new version of its Chrome browser Thursday to fix a high-severity security problem.

The problem affects Google's mainstream stable version of Chrome and is fixed in the new version 1.0.154.59 (download). Google has built Chrome so it updates itself automatically with no user intervention, though the software must be restarted for the new version to run.

The security problem, reported April 8 by Roi Saltzman of the IBM Rational Application Security Research Group, allowed cross-site scripting attacks. Such methods can make a Web browser process unauthorized code such as JavaScript, enabling a variety of attacks, including impersonation or phishing.

Mark Larson, Google Chrome program manager, described the problem this way in a blog posting Thursday:

An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.

If a user has Google Chrome installed, visiting an attacker-controlled Web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice. Such an attack only works if Chrome is not already running.

[Angmarr]

they better fix a few more things if that want people to switch!

[Angmarr]

http://marketshare.hitslink.com/report.aspx?qprid=1&qpcustom=Chrome

[Magallanes]

lol, under the current speed, Chrome will reach Firefox in 15 years!.

[ChrisLang]

Google is looking at the long tail, all they want to do is get a browser out that comes with Google Gears installed and something that compiles JavaScript really well. No one can depend on Firefox, half the time it is junk, the other half it is great. You cannot depend on the darn thing.

I would pay $100 for a browser that worked properly and did NOT come and go on me.

[Angmarr]

@ ChrisLang

funny, many people donst seems to observe that 50% just you talk about!?
http://marketshare.hitslink.com/report.aspx?qprid=1&qpcustom=Firefox

[Mr. Dee]

Looks like Chrome is getting a bit rusty.

[Angmarr]

http://bicycletutor.com/rust-removal/ = )

[eltoro2827]

LOL...google is the new microsoft. start fixin those security issues google.
I would say the same about apple but no one bothers wasting their time. apples are like unicorns,,,you just dont see them ...unless they're ipods or iphones,

[JuggerNaut]

..."apples are like unicorns,,,you just dont see them ...unless they're ipods or iphones,"...

What rock are you living under?... I see them all the time!

[jfrdricks2009]

I've seen more Ipods and Iphones in the wild than uhm Zunes.

[ayeng98]

what eltoro2827 is an idiomatic expression, when he said "apple are like unicorn you just dont see them" it meant that OSX is almost invisble out there in the open while your in the internet, and thats the strenght of MAC OSX throught obscurity theyre hadly visible for those cyberbullies...that mekes MAC almost virus free ...

[Rod Roddy]

Yeah @ayeng98, OSX is invisible to cyber-bullies and also to developers :D

[lenins]

nothing. is nothing. why? cyber-bullies crimes are up. can anyone-stop-cyber-monster. it is one scare after another. do you care? all companies try to put out a very good product;so out comes the cyber-nothings. the cyber-nothings should be put in jail, for the crimes, they have committed. sadly, it is a cake walk for the cyber-nothings.why?

[kcotham]

So really, it's a flaw with Internet Explorer. Surprise surprise surprise!

[fafafooey]

If it is a "flaw with Internet Explorer", then how did Google fix it?

[Shankland]

It's a flaw with Chrome, not IE. A Web site visited with another browser can turn Chrome into an attack vector.

[ChrisLang]

I am no MS fan, but no one said that.

[slecalvez]

IE 8 has protection against cross-site scripting.... It might .05 seconds slower but still... I'll stick to firefox then...

[fafafooey]

Kind of funny... the article says "Google has built Chrome so it updates itself automatically with no user intervention".

If this would have read "Microsoft has built Internet Explorer so it updates itself automatically with no user intervention", methinks all the anti-MS kooks would be screaming bloody murder...

[Magallanes]

In fact i think Google is going even further, for example installing (without your consent or hidden in a long disclaimer text) a google update service.

[dnd980]

thats one of the reasons why I wont be switching to chrome

[ChrisLang]

The Google updater service comes with the new toolbar, Google Earth, just about anything that runs off the server. It is not Chrome only, and if you are going to let anyone in, then why not Google? Microsoft, Google, it matter little, they all know what you do every second, blah blah blah...

[alegr]

At least the updater service that runs in the background is better than Adobe updater that starts for every user session.
One problem with Google updater is that it runs under LOCAL_SYSTEM account. It should really run under LOCAL_SERVICE which has less privileges.

[ChrisLang]

Since Chrome is an air app that runs on the Google servers I wonder how much has to be updated on the user end and how much is updated in the cloud. It would be nice if the world of cloud computing would be fully updated on the server side.

However a client side app like a browser must interpret JavaScript and render HTML so that will never truly be a reality for a cloud browser app. Anybody no more on just how Chrome runs?

[superswiss]

Dude, you don't know what you are talking about. Chrome just like any other browser is a client side app. The webpages you open with it can live in the cloud, intranet or even local on your machine just like with any other browers. There's no part of Chrome that runs in the cloud. If you open any of the Goolgle Apps for example than they run in the cloud, but that's the same if you open them in IE or Firefox.

[viper396]

So why exactly do some people have this need to get fanatical or personal, and take up sides on a stupid browser war? Whether you use IE, Chrome, Firefox or other you don't actually win or lose anything. Are you getting paid for it? Why do you even care what browser other people are using?

[queticomn]

Hrm, Cross site scripting attacks. Well anyone herd of a little add on for FireFox called...

NO SCRIPT!

[gogodgo]

Re-inventing the wheel is too hard. Folks wanting to develop a new browser should simply send resumes to Microsoft, Mozilla, et all, and apply for the Browser Update Team. Developing an entire new browser takes years to even get close to W3C standards compliance AND provide a secure environment.

[hammad_jaf]

pleese give me all software cracke okay