In a thread on the Chromium bug tracker a Google developer said, "We're not treating this as a security bug [because] the preconditions to exploit this are too stretched."
Later in the thread -- started by Kolsek on Sept. 21 when he reported Acros's findings -- the same developer added, "The implausibility of actual exploitation [means] we want to treat this as 'strange behavior that we should consider changing' rather than a vulnerability."
Acros didn't entirely disagree.
"This is hard to dispute," Acros said of the required preconditions, and the likelihood hackers would steer for exploits that had a higher probability of succeeding. "[But] as security researchers we consider any 'feature' that allows silent downloading of remote code and its execution on user's computer without warnings a vulnerability."
Acros raised an interesting question. "How much social engineering is too much?" the company asked in its analysis of the flaw.
That debate isn't new: Microsoft regularly downgrades the seriousness of vulnerabilities when it decides that "user interaction" -- tricking people to do some of an attacker's job -- is involved.
Acros recommended that Chrome users set a secure site, Gmail is one, as their home page to stymie such attacks. While Acros didn't spell out other options, users can also protect themselves by leaving Google as the browser's default search engine.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about security in Computerworld's Security Topic Center.