Google Chrome flaws come soon after browser release
Less than a day after Google arrived on the browser scene with the launch of Chrome, two security researchers have disclosed separate vulnerabilities that could be exploited to compromise the software.
Researcher Aviv Raff told SCMagazineUS.com on Wednesday that Chrome suffers from the same “carpet bomb” vulnerability once present in Apple's Safari for Windows, by which the browser does not require user permission prior to a download.
The flaw resides in WebKit, an open-source application framework used to design browsers, such as Safari and Chrome.
Under the attack scenario, a user would visit a malicious site, and Chrome would automatically download a JAR (Java Archive) file to either the desktop – as was the case with the Safari issue – or to a dedicated download folder, Raff said in an interview over instant messenger.
In the cases of the latter, attackers could exploit a user interface issue in Chrome that could convince a user to execute a file.
“The thing is, Chrome shows a download bar at the bottom of the page, when a file is downloaded,” Raff said. “When a user clicks on the ‘file' button on the download bar, it will execute it, without any warning. The bar looks as if it's part of the page.”
Megan Lamb, a Google spokeswoman, said Chrome does not automatically download files "that have the potential to manipulate window preferences and change the order in which DLLs (dynamically linked libraries) are loaded."
Should users wish to be prompted before every file download, they should choose "Ask where to save each file before downloading" on the "Minor Tweaks" tab in the "Options" dialog, Lamb said.
Meanwhile, researcher Rishi Narang, posting on EvilFingers.com, disclosed a flaw that causes Chrome to crash just by visiting a malicious link and without user interaction.
“An issue exists in how Chrome behaves with undefined handlers in chrome.dll version 0.2.149.27,” Narang's advisory said.
Lamb said Google is aware of this hole and is working on a fix.
Both Raff and Narang have posted proof-of-concepts.