Google has released a new version of Chrome over night patching a high-severity security hole.
The flaw, discovered on April 8 by IBM, allowed for cross-site scripting attacks through the use of malicious JavaScript on a website.
Google Chrome program manager, Mark Larson, describes how the flaw could work. “An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.”
“If a user has Google Chrome installed, visiting an attacker-controlled Web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker’s choice. Such an attack only works if Chrome is not already running” wrote Larson.
The patch will be pushed out automatically to current Chrome users, and will take the browser to version 1.0.154.59. New users can download the latest Google Chrome directly.