October 20th, 2008
Google readying fix for Chrome file download flaw
Just hours after the release of the Google Chrome browser last month, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug — to trick users into launching executables direct from the new browser. (Here’s a demo showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.
Now, it looks like Google is finally taking the threat seriously with the release of a new Chrome version to developers that changes the download behavior for files that could execute code.
From the changelog:
- This [version] adds prompting for dangerous types of files (executable) when they are automatically downloaded.
- The file is saved with a temporary name (dangerous_download_xxxx.download) in the download directory and the user is presented (in the download shelf and the download tab if opened) with a warning message and buttons to save/discard the download.
- If discarded the download is removed (and its file deleted). If saved, download goes as usual.
- Dangerous downloads not confirmed by the user are deleted on shutdown.
ALSO SEE:
Google Chrome vulnerable to carpet-bombing flaw
Google Chrome, the security tidbits
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
