Hi Chris,
You're right: File browse dialogs change the CWD and this contributes
essentially to the exploitability of the bug in question. While it's possible
to prevent these dialogs from *keeping* the CWD where the user OK'ed a selected
file/folder (see
Chrome pkcs11.txt File Planting
A month ago our company notified Google about a peculiar behavior of
Chrome browser that can be exploited for execution of remote code outside
Chrome sandbox under specific conditions. Our new blog post describes it all.
http://blog.acrossecurity.com/2011/10/google