RealTime IT News

Google fixes command injection issue in Chrome

googlechromologo.jpg
From the 'GoogleUpdater has got your back' files:

Google is out with an incremental update to its stable and beta releases of the Chrome browser to version 1.0.154.48. The key fix is a very interesting cross browser attack vector that previously plagued Firefox and Microsoft's Internet Explorer.
According to Google's release notes:

There is also a security fix for a bug (5825 analogous to CVE-2007-3670) where command line arguments could be injected and executed by getting a user to click a link in certain other browsers.

As far as I can tell this is the same issue that Mozilla dealt with back in July of 2007.  The CVE advisory on the original issue notes:

Argument injection vulnerability in Microsoft Internet Explorer, when
running on systems with Firefox installed and certain URIs registered,
allows remote attackers to conduct cross-browser scripting attacks and
execute arbitrary commands.

So then - this is an issue that has been known in other browsers for 18+ months but now has been plugged in the newbie Google Chrome. Go figure.

I suspect that other issues like this will pop up in Chrome. That is, other older issues that have been solved by other browsers but have not yet been identified in Chrome, but will be. It's just a matter of time.

Comment and Contribute