14 DAY TRIAL // The new version of Google Chrome fixes two security issues, which could have exposed users to malicious attacks. Both vulnerabilities allow potential attackers to execute arbitrary JavaScript code inside a visitor's browser.
The first vulnerability involves Chrome's internal feed reader rendering untrusted active content embedded into RSS or ATOM feeds. This means that an attacker can add malicious JavaScript to a feed and then trick a user into opening it into the browser in order for the code to be executed.
Google credits a security researcher going by the only handle of Inferno for the discovery of this flaw, which was reported to the Chrome Security Team on September 7. On his blog, Inferno describes the issue in greater detail and points out that his work is based on older feed reader-related XSS research by James Holderness and James M. Snell.
Moreover, the researcher announces that the Opera browser is also vulnerable and that possible cross-site scripting attacks include session cookie hijacking, browser history spying, mapping webservers on the internal network or display a phising page.
However, it appears that Opera chose to mitigate only one of the exploitation scenarios, from the three presented, considering the rest as being design features of its default feed reader. In comparison, Chrome has disabled ATOM/RSS parsing entirely and displays it as a text/plain MIME type. Because of this, it is now required to use a third-party external feed reader for feed parsing.
This vulnerability is rated medium in terms of severity, due to its low exposure rate. One of the exploitation conditions is for an attacker to inject JavaScript into a feed, but according to the Google Chrome Security Team, "Most web sites are not affected because they do not include untrusted content in RSS or Atom feeds."
The second issue was located in the getSVGDocument method, which apparently lacked an access check. This allowed a potential attacker to bypass the same-origin policy and inject rogue JavaScript code into a website hosting an SVG document. This vulnerability has a severity level of high and a security researcher named Isaac Dawson is credited with its discovery.
Finally, Google's Chrome Program Manager, Anthony Laforge, extends special thanks to CERT's Will Dormann for "working with us to improve the security of the new audio and video codecs in this release."