Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 28th, 2009

Computers With Internet Explorer And Google Chrome Installed Are At Risk

Security problems surrounding protocol handling and Web browsers have surfaced again — this time with Google Chrome and Microsoft’s Internet Explorer. The “high severity” vulnerability affects Google Chrome versions and earlier.

According to an advisory from the Google Chrome team, there’s an error in handling URLs with the a chromehtml: protocol that could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.

If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker’s choice. It can be exploited by malicious hackers to launch universal cross-site scripting (UXSS) attacks without user interaction under certain conditions.

IBM’s Roi Saltzman, the researcher credited with finding and reporting the issue to Google, has released an advisory to explain the attack vectors and impact. He warns that the flaw opens the door to two major attack vectors:

Bypass the Same Origin Policy restrictions for any site (this has the same impact as Universal XSS)
Enumerate victim’s local files and directories

“It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles’ heel and has been widely used previously to attack other various applications,” Saltzman said.  Proof-of-concept code for this issue is publicly available.

Credit: ZDNet Security Blogs

Share this item with others:

More on CyberInsecure:
  • Microsoft Discovers Flaw In Google Plug-in For Internet Explorer
  • High-risk Vulnerabilities In Google Chrome
  • Carpet-bombing Vulnerability In Google Chrome New Browser
  • Trojan Poses As Google Chrome Browser Extension
  • Google Chrome Browser Bug Could Leak Identity of Anonymously Surfing Users

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Computers With Internet Explorer And Google Chrome Installed Are At Risk

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.