Smokey's Security Weblog

veritas odium parit

Google Chrome at risk from ‘carpet bomb’ bug

Google Inc.’s brand-new Chrome browser is just launched, and the first blended threat (so-named because it relies on multiple vulnerabilities) is already reported. This critical threat can take down your PC. Great news, isn’t?

ComputerWorld Security wrote:

Attackers can combine a months-old “carpet bomb” bug with another flaw disclosed last month to trick people running Google’s Chrome browser into downloading and launching malicious code.The attacks are possible because Google used an older version of WebKit, an open-source rendering engine that also powers Apple Inc.’s Safari, as the foundation of Chrome.”

This is different from the Safari/IE blended threat,” said Israeli researcher Raff in an interview conducted via instant messaging. “It’s a different blend with one similar component. It uses the auto-download vulnerability (aka ‘Carpet Bomb’) in combination with a [user interface] design flaw and an issue with Java that doesn’t display a warning on execution of JAR files downloaded from the Internet.”

The carpet-bomb bug — revealed by researcher Nitesh Dhanjani in early May and named for the way it could be used to dump files onto the Windows desktop — stemmed from the fact that Safari did not require a user’s permission to download a file. Attackers, Dhanjani said, could populate a malicious site with rogue code that Safari would automatically download to the desktop, where it might tempt a curious user into opening the file.

Google used a prepatch version of WebKit to build Chrome, and so the bug, which was also patched in later editions of WebKit, slipped through. According to Raff, the Chrome beta uses the older WebKit 525.13, the engine used by Safari 3.1.Chrome also contributes to the problem, said Raff, by making downloaded files appear as buttons at the bottom of the browser’s frame. “One click on this button will execute the file,” Raff said. Attackers could place malware on a malicious site, then wait for — or better yet, draw in — users running Chrome. The browser would not warn the user of the JAR file automatically downloaded from the site, and the button-style indicator in Chrome could be easily mistaken for part of the application.

Workaround

There is no vendor patch available, however, ComputerWorld advised to use following workaround:

Users can set an option in Chrome that will thwart the exploit by popping up a warning asking for a file name and location for any downloaded file. To change Chrome, select Options under the “Customize and control Google Chrome” menu; the menu is at the far right, near the top. Although not named, it looks like a small wrench. Next, click the “Minor Tweaks” tab in the Options window, then check the box that reads “Ask where to save each file before downloading.”

Additional: Google’s Chrome Browser – Security & Privacy Issues

Posted by SUMware on DSLReports:

Chrome is a security nightmare, indexes your bank accounts September 04, 2008
After playing around with Google’s brand new Chrome browser, we’ve discovered that its history search box will fetch all types of data – even text from HTTPS-protected financial sites like Washington Mutual and Capital One. With a few utterly simple keywords like balance, account and Sept., everything from balance information, account numbers and even how much you spent at Costco can be pulled up.

Chrome: Google’s biggest threat to your privacy September 4, 2008
The danger comes from one of Chrome’s niftiest features, what it calls the Omnibox. The Omnibox is, in fact, the browser’s Address Bar, but it has a feature that looks at what you type, and then auto-suggests sites that it thinks you’re about to enter. As you type, the suggestions appear.

As you type, your text is sent back to Google, which analyzes it and makes the auto-suggestions. That’s why you don’t even need to press Enter for the text to head to Google.

Sources/authors:

Full ComputerWorld article: ComputerWorld
Additional threat info: SecurityFocus
Original SUMware DSLReports thread: DSLR

Advertisements

September 6, 2008 - Posted by | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Uncategorized, Vulnerabilities | , , , , , , , , , , , , ,

1 Comment »

  1. […] of a security flaw that once exist in Safari as a result of old webkit development platform.  Some serious security flaw can take your PC down.  At this point, no security patch had been released only a minor tweak to prevent vulnerability […]

    Pingback by Happy Birthday Google. | Streamxy - The Next Internet Rush | September 6, 2008 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: