Google plugs ‘high-risk’ holes in Chrome browser

a high-priority Chrome browser patch with fixes for three security vulnerabilities that expose users to cross-site scripting and data theft attacks.

Google Chrome’s beta and stable channels have been updated to version to mitigate an issue with the Adobe Reader plug-in (two separate vulnerabilities) and to fix a bug in the V8 JavaScript engine could allow bypassing same-origin checks.

The skinny:

  • CVE-2007-0048 and CVE-2007-0045: Workaround for Adobe Reader Plugin Open Parameters Cross-Site Scripting Vulnerability
    • Google Chrome now refuses requests for javascript: URLs in Netscape Plugin API (NPAPI) requests from the Adobe Reader plugin. Adobe is aware of this issue and has helped us develop this mitigation while they work on a fix for all users.
    • Severity: Moderate. This could allow a PDF document to run scripts on arbitrary sites.
  • CVE-2009-0276: Javascript Same-Origin Bypass
    • A bug in the V8 JavaScript engine could allow bypassing same-origin checks in certain situations.
    • Severity: High. A malicious script in a page could read the full URL of another frame, and possibly other attributes or data from another frame in a different origin. This could disclose sensitive information from one website to a third party.

The patch (see release notes) also fixes problems with Yahoo Mail and Windows Live Hotmail.


[Source: zdnet]


jessicaalba.alba222 said...

Earning money online never been this easy and transparent. You would find great tips on how to make that dream amount every month. So go ahead and click here for more details and open floodgates to your online income. All the best.