According to an advisory from the Google Chrome team, there's an error in handling URLs with the a chromehtml: protocol that could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.
[ SEE: Command injection flaw found in IE: Or is it Firefox? ]
It can be exploited by malicious hackers to launch universal cross-site scripting (UXSS) attacks without user interaction under certain conditions.
[ SEE: Mozilla caught napping on URL protocol handling flaw ]
IBM's Roi Saltzman, the researcher credited with finding and reporting the issue to Google, has released an advisory (word .doc) to explain the attack vectors and impact.
He warns that the flaw opens the door to two major attack vectors:
"It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles' heel and has been widely used previously to attack other various applications," Saltzman said. Proof-of-concept code for this issue is publicly available.
Microsoft maintains the problems are not related to vulnerabilities in its code.