14 DAY TRIAL // Chinese security researcher Liu Die Yu has disclosed a URL spoofing vulnerability in Google Chrome, reports The Register. This comes after the Google Chrome team recently patched another serious vulnerability, known as carpet bombing.
The security expert, working for the Topsec TianRongXin lab in Beijing, released proof of concept code to demonstrate how a legit URL can be forced into the address bar, even though the browser is not actually loading that URL. The vulnerability can be exploited through a maliciously crafted JavaScript function and has the potential of being adopted in phishing attacks.
Since Google Chrome is based at its core on Apple's Safari Webkit engine, many of the vulnerabilities are common for the two browsers. Such is the case with the carpet bombing vulnerability which was inherited by Chrome from the outdated Safari Webkit 3.1.1 version that they originally implemented as engine.
The vulnerability was initially discovered and reported to Apple by Nitesh Dhanjani and was patched in the Webkit 3.3.2 version. Later, security researcher Aviv Raff combined it with a Java flaw in order to demonstrate how Chrome users could be easily tricked into automatically downloading and running a malicious .JAR archive.
According to Liu Die Yu, this is not the case with the URL spoofing vulnerability. This flaw appears to be sourced in the Chrome-only code and does not affect the Webkit engine. "I don't see Apple Safari vulnerable in the same way," noted the security expert for The Register.
Google was made aware of the vulnerability and they are planning to fix it in a soon to be released update. This might be the 0.3.154.3 version, which also includes the carpet bombing fix or the later 0.3.154.6. Both of these releases are currently only available to developers, but they can be downloaded and installed by users manually or through the Channel Chooser plug-in.
Liu Die Yu has also discovered other Google Chrome vulnerabilities, which he was planning to present at XCon2008, an information security conference organized by XFocus, but unfortunately the plans were canceled. “I was planning to present vulnerabilities of google chrome at XCON organized by XFOCUS. It's canceled, I'm sorry,” announced the researcher a few days ago. “Though I'm not to present at XCON, it doesn't alter that fact - Chrome does have security problems,” he later added.