Stable, Beta update: Yahoo! Mail and Security Fixes

Google Chrome’s Beta and Stable channels have been updated to 1.0.154.46. (Note, we won’t have a different release for the Beta channel until we have something Beta-worthy come out of the Dev channel in February.)

This release fixes issues with two popular webmail providers:

• Sending mail from Yahoo! Mail works again.
• Windows Live Hotmail now works. While the Hotmail team works on a proper fix, we’re deploying a workaround that changes the user agent string that Google Chrome sends when requesting URLs that end with mail.live.com.

If you’ve been using the --user-agent switch to use Hotmail, you can remove the switch from your shortcuts with this release.

This release also includes two security updates. The release notes have the full list of changes.

Security Updates

> Work around for “Adobe Reader Plugin Open Parameters Cross-Site Scripting Vulnerability”
>
> CVE: CVE-2007-0048, CVE-2007-0045
>
> Google Chrome now refuses requests for javascript: URLs in Netscape Plugin API (NPAPI) requests from the Adobe Reader plugin. Adobe is aware of this issue and has helped us develop this mitigation while they work on a fix for all users.
>
>

>
> Severity: Moderate. This could allow a PDF document to run scripts on arbitrary sites.
>
> Credit: Thanks to Michael Schmidt for reporting this responsibly to Google.
>
>

>
> Javascript Same-Origin Bypass
>
> CVE: CVE-2009-0276
>
> A bug in the V8 JavaScript engine could allow bypassing same-origin checks in certain situations.
>
>

>
> Severity: High. A malicious script in a page could read the full URL of another frame, and possibly other attributes or data from another frame in a different origin. This could disclose sensitive information from one website to a third party.
>
> Credit: Found internally by Google.

--Mark Larson, Google Chrome Program Manager