Technology.am (Apr. 24, 2009) — Google on Thursday released a new version of its Chrome browser to fix security problem, which was reported early of this month by IBM’s Roi Saltzman that allows cross-site scripting attacks. These methods can make a Web browser process unauthorized code such as JavaScript, enabling a variety of attacks, including impersonation or phishing.

An error comes in handling URLs with a chromehtml: protocol that could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.

When a user has installed Google Chrome and visiting an attacker-controlled Web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker’s choice. This type of an attack only works if Chrome is not already running.

The problem affects Google’s mainstream stable version of Chrome and that is fixed in the new version 1.0.154.59 (download).