On mySimon: Chuck Taylor All Star Sequins

BNET Business Network:: BNET; TechRepublic; ZDNet

Zero Day

Ryan Naraine and Dancho Danchev

Get Zero Day via:: Mobile; RSS; Email Alerts
Bios:: Ryan’s Bio; Dancho’s Bio

November 19th, 2009

Microsoft finds security hole in Google Chrome Frame

Posted by Ryan Naraine @ 9:49 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Google, Google Chrome, Malware, Microsoft, Open source, Patch Watch

Tags: Google Inc., Microsoft Corp., Google Chrome, Web Browsers, Security, Viruses And Worms, Internet, Ryan Naraine

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.

Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a “high risk” security vulnerability that could allow an attacker to bypass cross-origin protections.

SEE: Microsoft says Google Chrome Frame doubles IE attack surface

Severity: High. An attacker could have bypassed cross-origin protections. Although important, “High” severity issues do not permit persistent malware to infect a user’s machine. We’re unaware of any exploitation of this issue.

The search technology company has shipped a new version of the Google Chrome Frame (version 4.0.245.1) with a patch for the vulnerability.

The plug-in update also fixes several bugs:

Network requests fail randomly (Issue 27401).
Fix issues with CFInstall.js to better detect compatible OS and browser versions, allow users to cancel the installation frame, and not cache the isAvailable result (Issues 22738, 23057, and 23132).
Don’t use Google Chrome Frame for frames or iframes (Issue 22989).
Follow redirects properly (Issue 25643).
IE8 freezing intermittently (Issue 24007).
Remove data directories on uninstall (Issue 27483).

“All users should be updated automatically,” said Mark Larson, a member of the Google Chrome team.

Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

Talkback
Most Recent of 59 Talkback(s)

Thread View
Flat View

XP RTM might be over 10 years old..: ..but who uses that? The XP SP3 upgrade is free.

Also, if they're spending so much money to make
their OS not suck, they obviously are spending it
on the wrong people. Or "most companies" just
happen to suck even worse.... (Read the rest); Posted by: AzuMao Posted on: 11/30/09 You are currently: a Guest | Log in | Terms of Use

Microsoft finds security hole in Google Chrome Frame Loverock Davidson | 11/19/09

Of course they did. fr0thy2 | 11/19/09

Really? MS never had a security hole? Ever? nt T1Oracle | 11/19/09

At least Google.. AzuMao | 11/19/09

Good for them Viva la crank dodo | 11/20/09

Exactly. AzuMao | 11/20/09

RE: Microsoft finds security hole in Google Chrome Frame TheLightcosine | 11/19/09

You sir NStalnecker | 11/19/09

Right on. Thanks. (nt). honeymonster | 11/19/09

Are you sure? jeremychappell | 11/19/09

Increased vulnerability, but how really vulnerable ?? nigebj | 11/19/09

This risk from Google is not a vulnerability jorjitop | 11/23/09

RE: Microsoft finds security hole in Google Chrome Frame bhasinusc@... | 11/19/09

MS should be looking so hard.... bjbrock | 11/19/09

To be fair... jeremychappell | 11/19/09

Re: To be fair... EricP_KY | 11/19/09

Because... And Microsoft supporters won't want to read this... Dry_Land_Is_Not_A_Myth | 11/19/09

Because MS 'told them to'? EricP_KY | 11/19/09

"simply because MS told them to" fr0thy2 | 11/19/09

ROFL!!! A.Sinic | 11/23/09

I think he was talking about MS Office, not Windows itself. AzuMao | 11/23/09

I'd say you hit the nail... bjbrock | 11/19/09

Your link is proof of how damaging MS is. fr0thy2 | 11/19/09

I disagree... 914four | 11/25/09

It may have been bloated for its time.. AzuMao | 11/25/09

Hey chicken little....as I have said before USTechHead | 11/19/09

What you are saying Ole Man | 11/19/09

Add me to the 0 credibility list! windozefreak | 11/19/09

All of you AND Microsoft. fr0thy2 | 11/19/09

You just added yourself Ole Man | 11/20/09

Even the most vociferous MS supporters run Linux these days ... fr0thy2 | 11/19/09

Well Google kind of asked for it by.. AzuMao | 11/19/09

Good point. fr0thy2 | 11/20/09

Never criticise the competition. fr0thy2 | 11/19/09

Exactly! The reason Microsoft is "successful" Ole Man | 11/20/09

Errr..... Gis Bun | 11/20/09

Fellowship with like-minded corrupt parties Ole Man | 11/20/09

To be fair though.. AzuMao | 11/20/09

rofl @ Dry_Land_Is_Not_A_Myth Cyberjester | 11/29/09

XP RTM might be over 10 years old.. AzuMao | 11/30/09

RE: Microsoft finds security hole in Google Chrome Frame dookus | 11/19/09

Well, given that the best they can say about Win 7 fr0thy2 | 11/19/09

That's not all though. AzuMao | 11/20/09

RE: Microsoft finds security hole in Google Chrome Frame wwwsupport | 11/20/09

RE: Microsoft finds security hole in Google Chrome Frame ngukurr | 11/21/09

Write your Congressperson Ole Man | 11/21/09

Non sequitur much? AzuMao | 11/21/09

RE: Microsoft finds security hole in Google Chrome Frame ICUR12 | 11/23/09

Anecdotal Responses Rick Caringer | 11/23/09

From a random sampling... Raid6 | 11/23/09

From a random sampling... Rick Caringer | 11/23/09

I've just gone through the bulletins for the last couple of months mhenriday | 11/23/09

Game Changer Rick Caringer | 11/23/09

Real data.. AzuMao | 11/23/09

Real Data... Rick Caringer | 11/24/09

Except the cat is alive and dead at the same time, and is in a box. AzuMao | 11/24/09

The United States Computer Emergency Readiness Team Ole Man | 11/24/09

RE: Microsoft finds security hole in Google Chrome Frame TGM_1979 | 11/30/09

Well DUH! AzuMao | 11/30/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Nucleus Research Guidebook: Leveraging Value from SAP with IBM Cognos IBM Are you an SAP user preparing to invest in business intelligence (BI) or ... Download Now
Smarter Products: The Building Blocks for a Smarter Planet IBM Corp. Businesses are delivering a new generation of smarter products that are ... Download Now
Network Managed Services: A Cost-Effective Approach to Complexity Qwest Communications Learn how outsourcing network management tasks to a third party allows companies to save time and drive substantially lower total cost of ownership. Download Now

Recent Entries

Blogs From Our Sponsors

Top Rated

And the most popular password is...+34 votes
Microsoft readies emergency IE patch to counter public exploits+33 votes
Report: 48% of 22 million scanned computers infected with malware+32 votes
Microsoft confirms 17-year-old Windows vulnerability+31 votes
Microsoft says Google was hacked with IE zero-day+31 votes
MS Patch Tuesday heads-up: 13 bulletins, 26 vulnerabilities+26 votes
Bogus IQ test with destructive payload in the wild+22 votes
Haiti earthquake themed blackhat SEO campaigns serving scareware+21 votes

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Click Here

Archives

Favorite Links

41

ZDNet Blogs

White Papers, Webcasts, and Downloads

Service Management Resource Center IBM Corp. This buyer's guide provides assistance in evaluating identity and access ... Download Now
Qwest Network Services for Healthcare Providers Qwest Communications Demands for improved quality care and increased satisfaction require a ... Download Now
Twelve Ways to Reduce Costs with Microsoft(r) SQL Server(r) 2008 Microsoft Many organizations are finding themselves having to deal with difficult ... Download Now

Popular Sanity Saver Videos

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More