In association with heise online

10 February 2009, 09:15

Google closes critical hole in Chrome

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Google has discovered a vulnerability in its Chrome web browser that can allow an attacker to execute his own commands on a vulnerable Windows system. The vulnerability requires that the victim has previously installed Chrome, but is visiting a rigged web page using another browser, such as Internet Explorer.

According to Google, the cause of the problem is, related to the processing of particular URI/URLs in other browsers, through which it is possible to start a new Chrome window with an arbitrary address. By adding certain parameters, it can be possible to start and stop programs on the users system, such as a FTP program, which could open a back door. Google has fixed the problem in the stable version and updates are available through using the "About Google Chrome" option, to check for updates.

The problem is not new; back in mid 2007 a similar hole was found with systems which had Firefox and Internet Explorer installed. At that time, a dispute erupted between the Firefox and Microsoft developers and their supporters, as to who was responsible for the problem. One side suggested that the Firefox developers should fix the issue, as it was Firefox that registered to handle the URIs. Others saw Internet Explorer as the problem, as it was invoking the URL/URI given to it without checking it. The hole was apparently closed in both Firefox and Internet Explorer. The question now is why has this issue reappeared for Chrome, and does it apply to un-patched or patched Windows systems. Without further testing the answer is unclear.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit