Google plugs 'high-risk' holes in Chrome browser

Summary:Google has shipped a high-priority Chrome browser patch with fixes for three security vulnerabilities that expose users to cross-site scripting and data theft attacks.Google Chrome's beta and stable channels have been updated to version 1.

Google has shipped a high-priority Chrome browser patch with fixes for three security vulnerabilities that expose users to cross-site scripting and data theft attacks.

Google Chrome's beta and stable channels have been updated to version 1.0.154.46 to mitigate an issue with the Adobe Reader plug-in (two separate vulnerabilities) and to fix a bug in the V8 JavaScript engine could allow bypassing same-origin checks.

The skinny:

  • CVE-2007-0048 and CVE-2007-0045: Workaround for Adobe Reader Plugin Open Parameters Cross-Site Scripting Vulnerability
    • Google Chrome now refuses requests for javascript: URLs in Netscape Plugin API (NPAPI) requests from the Adobe Reader plugin. Adobe is aware of this issue and has helped us develop this mitigation while they work on a fix for all users.
    • Severity: Moderate. This could allow a PDF document to run scripts on arbitrary sites.

  • CVE-2009-0276: Javascript Same-Origin Bypass
    • A bug in the V8 JavaScript engine could allow bypassing same-origin checks in certain situations.
    • Severity: High. A malicious script in a page could read the full URL of another frame, and possibly other attributes or data from another frame in a different origin. This could disclose sensitive information from one website to a third party.

The patch (see release notes) also fixes problems with Yahoo Mail and Windows Live Hotmail.

ALSO READ:

Topics: Google, Browser, Enterprise Software, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.