Google plugs 'high-risk' holes in Chrome browser

Google has shipped a high-priority Chrome browser patch with fixes for three security vulnerabilities that expose users to cross-site scripting and data theft attacks.Google Chrome's beta and stable channels have been updated to version 1.

Google has shipped a high-priority Chrome browser patch with fixes for three security vulnerabilities that expose users to cross-site scripting and data theft attacks.

Google Chrome's beta and stable channels have been updated to version 1.0.154.46 to mitigate an issue with the Adobe Reader plug-in (two separate vulnerabilities) and to fix a bug in the V8 JavaScript engine could allow bypassing same-origin checks.

The skinny:

  • CVE-2007-0048 and CVE-2007-0045: Workaround for Adobe Reader Plugin Open Parameters Cross-Site Scripting Vulnerability
    • Google Chrome now refuses requests for javascript: URLs in Netscape Plugin API (NPAPI) requests from the Adobe Reader plugin. Adobe is aware of this issue and has helped us develop this mitigation while they work on a fix for all users.
    • Severity: Moderate. This could allow a PDF document to run scripts on arbitrary sites.

  • CVE-2009-0276: Javascript Same-Origin Bypass
    • A bug in the V8 JavaScript engine could allow bypassing same-origin checks in certain situations.
    • Severity: High. A malicious script in a page could read the full URL of another frame, and possibly other attributes or data from another frame in a different origin. This could disclose sensitive information from one website to a third party.

The patch (see release notes) also fixes problems with Yahoo Mail and Windows Live Hotmail.

ALSO READ:

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All