14 DAY TRIAL // Google made two new versions of its open source browser available for download this week. When it comes down to the Google Chrome Stable channel, the latest update offered by the Mountain View-based search giant takes the browser up to version 1.0.154.59. Google indicated that the refresh was necessary in order to provide a resolve to a critical security vulnerability: CVE-2009-1340 ChromeHTML protocol handler same-origin bypass. The Mountain View company revealed that the vulnerability allowed for universal cross-site scripting (UXSS) with no user interaction involved, in specific scenarios, in the eventuality that the flaw was successfully exploited.
“An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions,” Mark Larson, Google Chrome program manager, stated.
“If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice. Such an attack only works if Chrome is not already running.”
Earlier this week, Google also ensured the evolution of the successor of Chrome 1.0, offering testers Google Chrome 2.0.172.8 through the Beta channel. Larson indicated that build 2.0.172.8 of the browser was designed to resolve a couple of problems, which he described as having a major impact.
“On some sites, text disappears or is never drawn. For example, on Google Calendar, the titles for all day events do not display,” Larson stated. “Google Chrome Beta does not launch after the update to 172.6. This affects users who installed Google Chrome through Google Pack, joined the Beta channel, and do not run as an administrator.”
The latest Google Chrome releases are available for download here.