CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
September 2nd, 2008

Carpet-bombing Vulnerability In Google Chrome New Browser

Hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities, a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference, to trick users into launching executables directly from the browser window.

A harmless proof-of-concept demo of the attack is available. In the demo Raff is showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning. the code shows how a malicious hacker can use a clever social engineering and plant malware on Windows desktops in just two victim`s mouse clicks.

The Google Chrome user-agent shows that Chrome is actually WebKit 525.13 (Safari 3.1), which is an outdated/vulnerable version of that browser. Apple patched the carpet-bombing issue with Safari 3.1.2.

Some Google Chrome early adopters using Windows Vista are reporting that files downloaded from the Internet are automatically dropped on the desktop, setting up a scenario where a combo-attack using this unpatched IE flaw could be used in attacks.

On the Google Blogoscoped blog, some additional security related issues are mentioned:

Chrome has a privacy mode; Google says you can create an “incognito” window “and nothing that occurs in that window is ever logged on your computer.” The latest version of Internet Explorer calls this InPrivate. Google’s use-case for when you might want to use the “incognito” feature is e.g. to keep a surprise gift a secret. As far as Microsoft’s InPrivate mode is concerned, people also speculated it was a “porn mode.”

Web apps can be launched in their own browser window without address bar and toolbar. Mozilla has a project called Prism that aims to do similar (though doing so may train users into accepting non-URL windows as safe or into ignoring the URL, which could increase the effectiveness of phishing attacks).

To fight malware and phishing attempts, Chrome is constantly downloading lists of harmful sites. Google also promises that whatever runs in a tab is sandboxed so that it won’t affect your machine and can be safely closed. Plugins the user installed may escape this security model, Google admits.

Since Google Chrom is still in beta, it would be a good idea to wait until final release, where serious security issues will most likely be fixed.

Update (September 03): Rishi Narang from Evil Fingers released a proof of concept for another denial of service vulnerability that is successfully crashing the Chrome browser with all tabs. According to his advisory, an issue exists with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction: when a user visits malicious link, which has an undefined handler followed by a ’special’ character, the chrome crashes with a Google Chrome message window “Whoa! Google Chrome has crashed. Restart now?”. It crashes on “int 3″ at 0×01002FF3 as an exception/trap, followed by “POP EBP” instruction when pointed out by the EIP register at 0×01002FF4.

Share this item with others:

More on CyberInsecure:
  • Microsoft Alerts Users Not To Use Safari Due To Carpet Bombing Vulnerability
  • Address Spoofing Flaw Allows Google’s Chrome Websites Impersonation
  • Trojan Poses As Google Chrome Browser Extension
  • High-risk Vulnerabilities In Google Chrome
  • Microsoft Discovers Flaw In Google Plug-in For Internet Explorer

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Carpet-bombing Vulnerability In Google Chrome New Browser

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.