It seems that users who have Microsoft Internet Explorer and Google Chrome installed on their machine are exposing themselves to malicious attacks simply because the two browser versions do not play well together. According to Google, visiting malicious web pages could permit an attacker to run scripts on the targeted machine.

“An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions. If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice,” explained Google Chrome Program Manager, Mark Larson.

The security hole’s security rating is “high” because it allows universal cross-site scripting (UXSS) with no interaction from the user (in certain conditions of course). Chrome versions affected by this issue include version 1.0.154.55 and earlier versions. Google has already fixed the problem with the release of Chrome 1.0.154.59

“These issues pose a major threat to any user that browses a maliciously crafted page using Internet Explorer and has Google Chrome installed alongside. It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles’ heel and has been widely used previously to attack other various applications,” explained Roi Saltzman, the security researcher that is credited for discovering this vulnerability. It is important to update your Chrome browser, if you are running it alongside Internet Explorer, for the simple reason that a proof-of-concept code for exploiting the vulnerability is available on the wild (that’s to say it is publicly available as you can see here).

When asked to comment on the matter, Microsoft stated that vulnerabilities in its code are not to blame for the problems with Chrome.