Google updates Google Chrome to fix a security vulnerability that would allow hackers to launch universal cross-site scripting attacks. The flaw affects users with the Chrome Web browser installed who visit a malicious Web page with Microsoft Internet Explorer.
Chrome Web browser and Microsoft
Internet Explorer have found
themselves at the center of a security issue that could lead to cross-site
Google Chrome has been updated to 22.214.171.124 to fix a security
in the handling of ChromeHTML URIs (Uniform Resource Identifiers)
that allows an attacker to bypass the Same Origin Policy for any site and
enumerate victim's files and directories.
According to an advisory
the issue permits universal cross-site scripting without user
"If a user has Google Chrome installed, visiting an attacker-controlled
Web page in Internet
Explorer could have
caused Google Chrome to launch, open multiple tabs and
load scripts that run after navigating to a URL of the attacker's choice,"
the advisory stated.
The vulnerability was discovered by IBM
security researcher Roi Saltzman, who noted in a blog post that the
processing of URL protocol handlers has been an ongoing issue with Internet
Explorer. A similar situation was uncovered in 2007 involving Internet Explorer
"These issues pose a major threat to any user that browses a
maliciously crafted page
using Internet Explorer
and has Google Chrome installed alongside,"
Saltzman wrote. "It is important to note that the way Internet Explorer
processes URL protocol handlers is a known Achilles' heel and has been widely
used previously to attack other various applications."
A more detailed advisory can be downloaded
off the IBM Rational Application Security Insider blog.