Thursday, April 23, 2009

Stable Update: Security Fix

Edit (24 April): Removed "Such an attack only works if Chrome is not already running."

Google Chrome's Stable channel has been updated to 1.0.154.59 to fix a security issue:



CVE-2009-1412 ChromeHTML protocol handler same-origin bypass
An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.


If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice.


See http://code.google.com/p/chromium/issues/detail?id=9860 for more details.


Affected versions: 1.0.154.55 and earlier


Severity: High. This allows universal cross-site scripting (UXSS) without user interaction under certain conditions.


Credit: Roi Saltzman (roisa@il.ibm.com) Security Researcher at IBM Rational Application Security Research Group


--Mark Larson
Google Chrome Program Manager

18 comments:

Migman said...

My browser loaded 1.0.154.59 version.

friends said...

I am open the google home page and the same tab in address bar other web site open very very slowly opening site

how to open fastly

Lumo said...

By the way, the newest Dev channel Google Chrome 2.0.176.0 is out.

Migman said...

2 Lumo
It is your version? =)))) LOL
On official blog i cant find this version...

Farinha said...

What happened to the "Check for Updates" button in the "About Google Chrome" screen. I didn't realise it was gone until I read this and actually tried to update.

How are we supposed to do updates now?

Lumo said...

Dear Migman, nope, I am not able to control or hack the dl.google.com, so it is not my version but the official Dev version 2.0.176.0.

You can also see that it is already described in the release notes. Well, this particular blog is not guaranteed to be the most up-to-date source of information about new versions of Chrome. Get used to it. ;-)

Best
LM

krtulmay said...

@Lumo, actually yes, this blog *is* the official information blog for new updates for Google Chrome. The standalone installer and release notes you point out are probably done in preparation for the 176.0 release, but until it says so on this blog, it is not officially released yet.

migman.mp said...

+1

Lumo said...

Dear krtulmay,

I didn't write that this blog fails to be the most official place to announce the new versions.

I wrote that this blog fails to be the most up-to-date server informing about newly released versions and I insist that this statement of mine is proved in the links I have summarized above.

And believe me or not, nothing will change about a single bit of the 2.0.176.0 binary, regardless whether it will be described here, elsewhere, or not. Moreover, because 2.0.176.0 is described in the Google page with "release notes" linked above, I would claim that the version has also been officially released, according to any sensible interpretation of the word "official".

Best
Lubos

krtulmay said...

@Lumo, I actually thought about exactly the *opposite* of your point after my previous post, but I had decided not to follow up.

In fact, since mid-Sep 2008 after Google Chrome was released, this blog *is* the most up-to-date information about new releases.

So, since 2.0.176.0 has not been posted to this blog yet, the clear information is that it is *not* officially released, despite the links to the standalone installer and release notes. That's why I say those links must be thought of preparation only, because this blog *is* the up-to-date authority and 2.0.176.0 is still not released yet.

This is further backed up by the fact that I don't think anyone has been able to update to 2.0.176.0 through "About Google Chrome", and that Chromium devs have previously stated the standalone installer links are used for their internal testing.

Locke said...

In any case I'd prefer not to download it until it's been 'officially' released through the update tool.

For all I know a flaw could be found through internal testing or from an 'early bird' tester that needs to be patched before its widespread release.

TJ Brown said...

@Locke

2.0.176.0 IS an official release that everyone will get. How do I know that? Because ONLY official releases are mentioned on the Chromium release notes page. My guess is that it was finished so close to the weekend that they didn't have time to release it to everyone over Google Update (and they won't post about the new version on this blog until that has happened).

Arkadiusz said...

On this version 2.0.176.0 which you posted is hard issue. I can't type polish diacritic marks using right alt+specific letter on text fields.

Sean said...

in GMAIL the newest dev channel version doesn't have a scroll bar. 2.0.176.0

leyland said...

Why is 2.0.176.0 not available via built-in update tool? btw, I'm on the dev channel, tried switching to beta channel and back to dev channel but no luck.

Mark Larson (Google) said...

176 was not released. It was in testing. Part of testing is staging the build on the download server to test updates.

However, 176 has a high crash rate. It possibly has other issues; testing was halted early.

You shouldn't install builds directly from the download server. You might get a buggy build; you might get a build that never updates, leaving you without critical security fixes.

When a build is officially released, it will be announced on this blog and the update will be available by using About Google Chrome > Check for Updates.

leyland said...

Thanks Mark, I guess the confusion here is mainly because 2.0.176.0 is listed in the Chrome release notes page at http://dev.chromium.org/getting-involved/dev-channel/release-notes

Ludovic-┼×tefan Kocsis said...

Apparently there are many biometric solutions which DON'T work with Chrome (until now I did not hear of any one that works). Using biometrically-protected password banks is an addictive thing, especially with the ever growing number of sites requiring login, often clicking a link and needing to enter new login information before seeing the contents under the respective link. For the past two years I've been using a Lenovo R61i with fingerprint reader and password manager. Now I am using an Acer Aspire 8930G with fingerprint reader, Acer Bio Protection AAV and password bank. Different solutions, same result: they are working with IE, not with Chrome. It's pretty sad that I have to use Gmail on IE (mainly because I get many links in mail that lead to sign-in protected sites) and use Chrome only for Google search or other activities not prone to lead to sign-in screens. Because of the number of different non-working biometric solutions I do think there should be something to be done from Chrome side, like passing compatible messages while in sign-in screens between Chrome and any biometric software. There probably is a certain form of messages that IE is using, and biometric software recognize... Hope these aren't patented :D Otherwise... I can't wait to use Chrome more than I do now...