Google plugs ‘high-risk’ holes in Chrome browser
a high-priority Chrome browser patch with fixes for three security vulnerabilities that expose users to cross-site scripting and data theft attacks.
Google Chrome’s beta and stable channels have been updated to version 1.0.154.46 to mitigate an issue with the Adobe Reader plug-in (two separate vulnerabilities) and to fix a bug in the V8 JavaScript engine could allow bypassing same-origin checks.
The skinny:
- CVE-2007-0048 and CVE-2007-0045: Workaround for Adobe Reader Plugin Open Parameters Cross-Site Scripting Vulnerability
- Google Chrome now refuses requests for javascript: URLs in Netscape Plugin API (NPAPI) requests from the Adobe Reader plugin. Adobe is aware of this issue and has helped us develop this mitigation while they work on a fix for all users.
- Severity: Moderate. This could allow a PDF document to run scripts on arbitrary sites.
- CVE-2009-0276: Javascript Same-Origin Bypass
- A bug in the V8 JavaScript engine could allow bypassing same-origin checks in certain situations.
- Severity: High. A malicious script in a page could read the full URL of another frame, and possibly other attributes or data from another frame in a different origin. This could disclose sensitive information from one website to a third party.
The patch (see release notes) also fixes problems with Yahoo Mail and Windows Live Hotmail.
ALSO READ:
- Google adds HTTPS-only browsing to Chrome
- Google Chrome, the security tidbits
- Google Chrome vulnerable to carpet-bombing flaw
- Google hires browser hacking guru
Post a Comment