In association with heise online

30 January 2009, 10:39

Google fixes security vulnerabilities in Chrome

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Google Chrome development team have released update, which fixes three security vulnerabilities, two of which affect calls to the Adobe Reader plug-in and enable cross-site scripting attacks to be carried out using crafted PDF files. The Chrome update prevents calls to the plugin, but does not address the actual problem – Adobe is also currently working on an update for its Reader plug-in.

In addition, a bug in the JavaScript Engine means that it is possible to circumvent the Same Origin Policy. According to Google, JavaScript can be used to read the URL and other attributes and data from other frames. Attackers could exploit this, for example to sniff out form data. For this to occur, however, a user would have to have one window open containing the malicious JavaScript and one window containing, for example, their banking website. Google classes the problem as critical.

The new version also includes a number of enhancements. Windows Live Hotmail should now work and it should, once more, be possible to send e-mail using Yahoo Mail. As well as the stable version, the developers have also released an update for the Beta 2.x version, which is not intended for production use. The updates can be obtained using the "Customise and control Google Chrome/About Google Chrome" option.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit