Microsoft finds security hole in Google Chrome Frame

Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a "high risk" security vulnerability that could allow an attacker to bypass cross-origin protections.

SEE: Microsoft says Google Chrome Frame doubles IE attack surface

• Severity: High. An attacker could have bypassed cross-origin protections. Although important, "High" severity issues do not permit persistent malware to infect a user's machine. We're unaware of any exploitation of this issue.

The search technology company has shipped a new version of the Google Chrome Frame (version 4.0.245.1) with a patch for the vulnerability.

The plug-in update also fixes several bugs:

• Network requests fail randomly (Issue 27401).
• Fix issues with CFInstall.js to better detect compatible OS and browser versions, allow users to cancel the installation frame, and not cache the isAvailable result (Issues 22738, 23057, and 23132).
• Don't use Google Chrome Frame for frames or iframes (Issue 22989).
• Follow redirects properly (Issue 25643).
• IE8 freezing intermittently (Issue 24007).
• Remove data directories on uninstall (Issue 27483).

"All users should be updated automatically," said Mark Larson, a member of the Google Chrome team.