Edit (24 April): Removed "Such an attack only works if Chrome is not already running."
Google Chrome's Stable channel has been updated to 18.104.22.168 to fix a security issue:
CVE-2009-1412 ChromeHTML protocol handler same-origin bypass
An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.
If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice.
See http://code.google.com/p/chromium/issues/detail?id=9860 for more details.
Affected versions: 22.214.171.124 and earlier
Severity: High. This allows universal cross-site scripting (UXSS) without user interaction under certain conditions.
Credit: Roi Saltzman (email@example.com) Security Researcher at IBM Rational Application Security Research Group
Google Chrome Program Manager