Welcome to WebmasterWorld Guest from 54.196.231.129

Forum Moderators: incrediBILL

Message Too Old, No Replies

Google Chrome Download Vulnerability

allows files to be downloaded without prompting the user

     
7:00 pm on Sep 3, 2008 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


US-CERT is aware of a vulnerability that affects the Google Chrome web browser. This vulnerability is due to a default configuration that allows files to be downloaded without prompting the user. In addition, downloaded files can be opened with a single click, which could allow a user to inadvertently open a malicious file.

US-CERT encourages users to enable the "Ask where to save each file before downloading" option within the "Minor Tweaks" tab in the browser preferences. Although this does not fix the underlying vulnerability, selecting this option will warn the user before files are downloaded. Users should still exercise caution when visiting and downloading items from untrusted websites.

US-CERT will provide additional information as it becomes available.

The alert is running on the US-CERT Current Activity page [us-cert.gov] right now, but not much else for details.

7:05 pm on Sept 3, 2008 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts: 12166
votes: 51


US-CERT encourages users to enable the "Ask where to save each file before downloading" option within the "Minor Tweaks" tab in the browser preferences.

Can you believe that is one of the first things I did after downloading? :)

How ironic eh? How many more of these are we going to see over the next who knows how long? ;)

7:24 pm on Sept 3, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


This sounds like the same issue Safari has [webmasterworld.com] -- but I thought Google Chrome only used the same rendering engine.
8:14 pm on Sept 3, 2008 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9063
votes: 2


To be fair - this is an early beta, so finding problems is not surprising. However, it is a reminder that making a new browser is hard, other browsers have been through periods of intense scrutiny from the security industry, and browsers are particularly vulnerable to security holes due to their complexity.

It will be interesting to see how Google's patching process works in this case - it's very unlikely to be the only security hole in their browser.

8:56 pm on Sept 3, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 17, 2004
posts:1354
votes: 0


Well, google covered their ass by labeling Chrome as being 'beta' :P
9:10 pm on Sept 3, 2008 (gmt 0)

Preferred Member

5+ Year Member

joined:July 31, 2006
posts:629
votes: 0


being 'beta'

gmail is still beta. Indeed looks like ****** coverage
9:30 pm on Sept 3, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2003
posts:1281
votes: 0


I think this is funny considering the emphasis they put on that feature in the webcast. They were so happy about one click downloading and execution. I wondered how long it'd go before someone came out against it.
9:40 pm on Sept 3, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 22, 2003
posts:1230
votes: 0


but I thought Google Chrome only used the same rendering engine.

Within the Register url posted by PageOneResults they mention this at the bottom of page.

[theregister.co.uk...]

Apple patched the vulnerability with Safari v3.1.2, but the underlying software behind Chrome is based on older code, hence the vulnerability.
9:40 pm on Sept 3, 2008 (gmt 0)

Preferred Member

5+ Year Member

joined:Nov 20, 2007
posts:585
votes: 0


I really hoped Google had developed a browser from the ground up. Ouch, Safari bugs, not good press for Google.
11:22 pm on Sept 3, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 14, 2005
posts:475
votes: 0


Is that the same "Security Flaw" I saw in the article in ReadWriteWeb by Frederic Lardinois? (I think perhaps I am not allowed to post the link to it here?)
1:01 am on Sept 4, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


Same one - there's only one Chrome security flaw being kicked around at the moment, and this one is apparently inherited from the WebKit engine that Chrome uses.

As with Safari, just make the intentional decision about where to store your downloads and you've bypassed the vulnerability.

11:08 am on Sept 4, 2008 (gmt 0)

Full Member

5+ Year Member

joined:Oct 26, 2007
posts:345
votes: 0


mozilla with new look = google chrome
2:37 pm on Sept 4, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


More trouble for Google Chrome Browser:

An issue exists in how chrome behaves with undefined-handlers in chrome.dll version
0.2.149.27. A crash can result without user interaction. When a user is made to visit
a malicious link, which has an undefined handler followed by a 'special' character,
the chrome crashes with a Google Chrome message window "Whoa! Google Chrome has crashed.
Restart now?".

[evilfingers.com...]

[edited by: tedster at 3:51 pm (utc) on Sep. 4, 2008]
[edit reason] attribute the quote [/edit]

3:53 pm on Sept 4, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


That's an interesting report - but apparently the browser crashes rather than becoming open to an exploit. Not too much of a worry unless someone finds a malicious way to exploit the crash.
4:32 pm on Sept 4, 2008 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9063
votes: 2


Google Chrome is an early beta - so crashes are normal, and expected. I would consider the second as being a simple bug report, not a "security advisory". It's just spin/marketing from wannabe security experts feeding on the hype of a product launch.
5:03 pm on Sept 4, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


More info.

It seems that someone has found a DoS in Google Chrome. What's interesting is that one of the thngs that Chrome does is process separation between tabs (or so they claim), yet this DoS manages to take out all of Chrome, not just the tab you visit the page in.
8:10 pm on Sept 4, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:June 6, 2005
posts:524
votes: 1


Can you believe that is one of the first things I did after downloading?

That's always the first thing I do with any new browser download. Who wants to go digging after a download several folders deep?

9:38 pm on Sept 4, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:July 17, 2008
posts:91
votes: 0


there is few things that Google has that is no longer in Beta...
10:10 pm on Sept 4, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member zeus is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 28, 2002
posts:3443
votes: 1


I was just waiting for this news from the media, just on TV "Google Chrome gives every user a identity no." so they know how surfs what, they just cant let it be, they keep collecting personal info as much as possible.
11:55 pm on Sept 4, 2008 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 25, 2003
posts:889
votes: 56



Google Chrome is an early beta

Those who push an 'early beta' on the general public via a prominent link on one of the web's main search interfaces deserve the result.

Regarding that entire Chrome marketing sentence on the Google main page - it was only a couple of months back that adding the one word 'Privacy' required the intervention of 'The Founders' and the removal of the word 'Copyright' to maintain some mystical word count...

11:17 am on Sept 5, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 3, 2001
posts:367
votes: 3


Those who push an 'early beta' on the general public via a prominent link on one of the web's main search interfaces deserve the result.

Absolutely! I had my mum asking me should she download this Chrome Beta thing that Google was on about. I'm guessing there are lots of people who don't have a clue what beta software is.
3:11 pm on Sept 5, 2008 (gmt 0)

New User

5+ Year Member

joined:Aug 13, 2008
posts:18
votes: 0


yeah beta software to most people means 'new' or 'shiny'. Where most developers know, 'pre release' or 'ready for user testing'. Its common to find bugs with a new product, hopefully there wont be too many with chrome!
7:32 pm on Sept 5, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


Google tends to use the word "beta" in a non-standard way. They keep the label for a long, long time. Google Chrome has been under development for what, 3-4 years? For lots of companies, that would be version 3!
12:17 am on Sept 6, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


I was just waiting for this news from the media, just on TV "Google Chrome gives every user a identity no." so they know how surfs what, they just cant let it be, they keep collecting personal info as much as possible.

Google phones home with your system variables and assigns your browser an unique user ID among other tracking data. And you get a brand new shiny Google tracking cookie that lasts 2 years.

/service/check2?appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D
&appversion=1.2.131.11&applang=&machine=0&version=1.2.131.11
&machineid=%7B4F599683-B0DE-46F0-A73C-E8A4623C92BD%7D
&userid=%7BAD99E17C-DE6C-4ED7-8FE7-4919642086C7%7D&osversion=5.1
&servicepack=Service%20Pack%202 HTTP/1.1
User-Agent: Google Update/1.2.131.11;winhttp
Host: cr-tools.clients.google.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
12:26 am on Sept 6, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


Additionally, there is another privacy factor in using Google Chrome

Los Angeles (CA) – Can a browser’s search function work too well? After playing around with Google’s brand new Chrome browser, we’ve discovered that its history search box will fetch all types of data - even text from HTTPS-protected financial sites like Washington Mutual and Capital One. With a few utterly simple keywords like balance, account and Sept., everything from balance information, account numbers and even how much you spent at Costco can be pulled up.

[tgdaily.com...]

[edited by: tedster at 2:24 am (utc) on Sep. 6, 2008]
[edit reason] make link cliackable [/edit]

12:33 am on Sept 6, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


Auto-Suggest Privacy Issues with Google Chrome.

Yes, we will creepily retain your input.

Provided that users leave Chrome's auto-suggest feature on and have Google as their default search provider, Google will have access to any keystrokes that are typed into the browser's Omnibox, even before a user hits enter.

What's more, Google has every intention of retaining some of that data even after it provides the promised suggestions. A Google representative told CNET News that the company plans to store about 2 percent of that data--and plans to store it along with the Internet Protocol address of the computer that typed it.

[news.cnet.com...]

[edited by: tedster at 2:25 am (utc) on Sep. 6, 2008]
[edit reason] make link clickable [/edit]

2:32 am on Sept 6, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


Here's another report for a different vulnerability:

The vulnerability is caused due to a boundary error when handling the
"SaveAs" function. On saving a malicious page with an overly long title
(<title> tag in HTML), the program causes a stack-based overflow and makes
it possible for attackers to execute arbitrary code on users' systems.

[securityfocus.com...]

11:05 am on Sept 6, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member billys is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:June 1, 2004
posts:3181
votes: 0


I still don't know why they announced the beta on their home page so quickly. They better close these gaps quickly.
3:51 pm on Sept 6, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member zeus is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 28, 2002
posts:3443
votes: 1


Billys - you can be sure they will NEVER close all trackings, thats what google is about to get as much info as possible, for ads and who knows what. The reason for a browser from google is new informations from the users, its that simple.
4:53 pm on Sept 6, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


Using a Packet Sniffer to See What Google Chrome Sends Back to Google Labs.

If you use Google Chrome, Google will know every URL you type into the location bar. More than that, they will know (almost) every partial URL you type into the location bar. More than that, they will know every word or phrase you type into the location bar, even if you type it and then delete it before pressing enter. More than that, all this information can be linked with your main Google account, because Google sends your cookie along with every automatic search it performs from the location bar. Chrome will use the cookie of whatever Google account you are currently logged into.

Additionally, this data will be sent to Yahoo or MSN if you have enabled them as the default search engine.

[coderrr.wordpress.com...]

[edited by: tedster at 8:22 pm (utc) on Sep. 6, 2008]
[edit reason] make link clickable [/edit]

This 33 message thread spans 2 pages: 33