Google Patches Chrome File-stealing Bug

Google Inc. has patched Chrome to prevent attackers from stealing files from PCs running the open-source browser.

The update, however, has not been pushed out to most users yet.

Google quashed the bug in a developer-only version of Chrome that has not been sent to all users via the browser’s update mechanism. Chrome users, however, can reset the browser to receive all updates, including the developer editions, with the Channel Chooser plug-in.

Chrome 0.4.154.18, which was released Tuesday, fixes a vulnerability that could be used by hackers to read files on a user’s machine, then transfer them to their own malicious servers. “We now prevent local files from connecting to the network with XMLHttpRequest() and also prompt you to confirm a download if it is an HTML file,” Mark Larson, Chrome’s program manager, said in an entry to the browser’s developer blog.

Google also enhanced Chrome by adding several new features to the 0.4.154.18 build, including a bookmark manager, more granular control over the browser’s built-in privacy mode and a revamped pop-up blocker.

Larson warned users, however, that Chrome continues to have problems synchronizing offline data using Gears, Google’s platform for building Web applications that can be used offline as well as when the user is connected to the Internet. “Sites that use Gears to synchronize offline data may occasionally hang,” Larson said. “You should disable offline access for sites until a fix is released.”

Chrome 0.4.154.18 also includes a newer version of V8, the name for Google’s JavaScript interpreter.

The current “official” beta build of Chrome is 0.3.154.9.

Google’s browser accounted for only 0.74% of the browser usage share last month, according to data from Web metrics company Net Applications Inc.