Google Chrome universal XSS vulnerability, now fixed

Monday, 4 May 2009

Roi Saltzman, a Security Researcher at IBM Rational Application Security Research Group, has been credited with the discovery  of this vulnerability - now fixed on Version 1.0.154.59 - which allows universal cross-site scripting (UXSS) without user interaction under certain conditions.

"During unrelated research, I came across a number of security issues that reside in various parts of Google's web browser - Google Chrome.

These issues pose a major threat to any user that browses a maliciously crafted page using Internet Explorer and has Google Chrome installed alongside.

Using a vulnerability in the ChromeHTML URL handler, it is possible to force Google Chrome load arbitrary URIs when it is launched through IE. Combined with other issues, this seemingly harmless vulnerability opens the door to two major attack vectors:

    * Bypass the Same Origin Policy restrictions for any site (this has the same impact as Universal XSS)
    * Enumerate victim's local files and directories

A thorough explanation of the issues, attack vectors and impact can be found in the following advisory.

Proof Of Concept:
A Universal XSS PoC is available here (Open with Internet Explorer)
File Enumeration PoC is available here (Open with Internet Explorer)"

Download the latest Google Chrome version here.

REFERENCES:

http://blog.watchfire.com/wfblog/2009/04/google-chrome-universal-xss-vulnerability-.html

http://code.google.com/p/chromium/issues/detail?id=9860

http://googlechromereleases.blogspot.com/2009/04/stable-update-security-fix.html