Google has released a new version of its Chrome browser that fixes a flaw which would have allowed cross-site scripting attacks.
On April 8, Roi Saltzman of the IBM Rational Application Security Research Group reported a flaw in Google’s Chrome browser that could allow cross-scripting attacks. Now Google has released a new version of the browser that fixes the problem, CNET reports.
Chrome has automatic updates, so users need do nothing other than restart the browser after an update.
In a blog posting, Mark Larson, Google Chrome program manager, wrote:
"An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions."
"If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker’s choice. Such an attack only works if Chrome is not already running."
