Identity Theft News

Google Chrome update fixes XSS vulnerability

Tuesday, April 28, 2009

Google released a new version of its Chrome web browser last week to fix a high-severity web security flaw that allowed cross-site scripting attacks (XSS).

XSS attacks allow cyberattackers to inject unauthorized code such as JavaScript for the purpose of theft of personal data or phishing.

Visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs and load scripts that run after navigating to a URL of the attacker's choice, Chrome program manager Mark Larson explained.

The Chrome vulnerability was initially reported on April 8 by Roi Saltzman, a security researcher from the IBM Rational Application Security Research Group, Google said on its Chrome blog.

"The flaw in the ChromeHTML URI handler allows an attacker to bypass the Same Origin Policy for any site and also enumerate victims files and directories," Saltzman reported.

When loaded in Internet Explorer, a specially crafted HTML page can launch Google Chrome with an arbitrary URI without requiring any user interaction.

The vulnerability affects Google's mainstream stable version of Chrome and is fixed in the new version 1.0.154.59.

Chrome updates itself automatically, although the software must be restarted for the new version to run.ADNFCR-1765-ID-19143319-ADNFCR

Related News:

Threat of identity theft shows need for online security - 11.19.2009
As Americans live increasingly large portions of their lives on the internet, the possibilities and incentives for remote identity theft increase as well. A report in the New York Times advises caution, and gives tips for constructing an "online bulwark" to prevent theft and fraud.

Wi-Fi network security vulnerable to man-in-the-middle attacks on smart phones - 11.16.2009
Researchers last week revealed a weakness in mobile network security that could allow for so-called "man-in-the-middle" techniques to steal personal information from users of certain types of mobile phones.

FDIC warns banks of money transfer 'mules' duped by cybercriminals - 11.2.2009
In a new warning to banks about illicit electronic fund transfers, the Federal Deposit Insurance Corporation (FDIC) said last week that online bank account theft is rising using "money mules," unwitting job-seekers who are duped by cyber crooks into wiring funds from hacked bank accounts.

Obama addresses cybersecurity awareness in YouTube video - 10.21.2009
Online cyber attacks and identity theft have never been higher, a threat environment that challenges U.S. security every day. President Obama has designated October as National Cybersecurity Awareness Month, which he addressed in a web video last week.

Facebook application security hole exposes millions to hacking, researcher says - 10.19.2009
A security researcher is warning Facebook users about potential vulnerabilities in Facebook applications that could allow cross-site scripting (XSS) hacker attacks for hijacking user accounts.
View Related Resources
Or
Watch an Online Demo
Or
Have us call you now