Google today updated its stable version of the Chrome browser to version 1.0.154.58 to fix a serious security issue. The ‘funny’ thing is the issue is triggered by Microsoft’s Internet Explorer (IE) browser.
The issue is very serious and according to Google could potentially enable something called universal cross-site scripting (UXSS) without a user having to do anything.
According to Google’s bug report on the issue:
When loaded in Internet Explorer, a specially crafted HTML page can launch Google Chrome with an arbitrary URI without requiring any user interaction.
That’s right friends, if you run into an evil page while running IE, you could force Chrome to open up any pages an attacker wants or even arbitrary JavaScript. The flaw stems from a handling error that on the surface sounds very similar to one that Mozilla fixed back in 2007 with the 2.0.0.5 release.
How could this happen in 2009 to Chrome? Is it Google’s fault or Microsoft’s?