Tags

, , , , , , , ,

Google’s Chrome web browser has been out for about a day and already there are at least two known vulnerabilities published.

The first vulnerability, reported by Rishi Narang from Evilfingers, causes Chrome to crash without user interaction when malicious link with an undefined handler followed by a special character is provided. The following HTML makes Google Chrome crash without any user intervention:

<html>

    <body>

        <a href="idonotexist:%">Click me</a>

    </body>

</html>

For more details about this click here.

The second vulnerability reported by researcher Aviv Raff makes the browser susceptible to carpet-bombing attacks. Raff found that by combining a flaw in WebKit and a Java bug it was possible to launch executables directly from the browser of an unsuspecting user. Raff has a proof-of-concept available and it can be seen here. This bug was also present in Apple’s Safari that was later patched by Apple in version 3.1.2 of the browser. The vulnerability is present in WebKit 525.13 which is at the core of Google Chrome even though it is outdated.

Advertisements