September 03, 2008

Google Chrome flaws come soon after browser release

Updated on Wednesday, Sept. 3 at at 6:45 p.m. EST

Less than a day after Google arrived on the browser scene with the launch of Chrome, two security researchers have disclosed separate vulnerabilities that could be exploited to compromise the software.

Researcher Aviv Raff told SCMagazineUS.com on Wednesday that Chrome suffers from the same “carpet bomb” vulnerability once present in Apple's Safari for Windows, by which the browser does not require user permission prior to a download. 

The flaw resides in WebKit, an open-source application framework used to design browsers, such as Safari and Chrome.

Under the attack scenario, a user would visit a malicious site, and Chrome would automatically download a JAR (Java Archive) file to either the desktop – as was the case with the Safari issue – or to a dedicated download folder, Raff said in an interview over instant messenger. 

In the cases of the latter, attackers could exploit a user interface issue in Chrome that could convince a user to execute a file.

“The thing is, Chrome shows a download bar at the bottom of the page, when a file is downloaded,” Raff said. “When a user clicks on the ‘file' button on the download bar, it will execute it, without any warning. The bar looks as if it's part of the page.”

Megan Lamb, a Google spokeswoman, said Chrome does not automatically download files "that have the potential to manipulate window preferences and change the order in which DLLs (dynamically linked libraries) are loaded."

Should users wish to be prompted before every file download, they should choose "Ask where to save each file before downloading" on the "Minor Tweaks" tab in the "Options" dialog, Lamb said.

Meanwhile, researcher Rishi Narang, posting on EvilFingers.com, disclosed a flaw that causes Chrome to crash just by visiting a malicious link and without user interaction.

“An issue exists in how Chrome behaves with undefined handlers in chrome.dll version 0.2.149.27,” Narang's advisory said.

Lamb said Google is aware of this hole and is working on a fix.

Both Raff and Narang have posted proof-of-concepts.

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.