Welcome to WebmasterWorld Guest from 54.162.157.249

Forum Moderators: incrediBILL

Message Too Old, No Replies

Google Chrome Download Vulnerability

allows files to be downloaded without prompting the user

     
7:00 pm on Sep 3, 2008 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



US-CERT is aware of a vulnerability that affects the Google Chrome web browser. This vulnerability is due to a default configuration that allows files to be downloaded without prompting the user. In addition, downloaded files can be opened with a single click, which could allow a user to inadvertently open a malicious file.

US-CERT encourages users to enable the "Ask where to save each file before downloading" option within the "Minor Tweaks" tab in the browser preferences. Although this does not fix the underlying vulnerability, selecting this option will warn the user before files are downloaded. Users should still exercise caution when visiting and downloading items from untrusted websites.

US-CERT will provide additional information as it becomes available.

The alert is running on the US-CERT Current Activity page [us-cert.gov] right now, but not much else for details.

7:05 pm on Sep 3, 2008 (gmt 0)

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member



US-CERT encourages users to enable the "Ask where to save each file before downloading" option within the "Minor Tweaks" tab in the browser preferences.

Can you believe that is one of the first things I did after downloading? :)

How ironic eh? How many more of these are we going to see over the next who knows how long? ;)

7:24 pm on Sep 3, 2008 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



This sounds like the same issue Safari has [webmasterworld.com] -- but I thought Google Chrome only used the same rendering engine.
8:14 pm on Sep 3, 2008 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



To be fair - this is an early beta, so finding problems is not surprising. However, it is a reminder that making a new browser is hard, other browsers have been through periods of intense scrutiny from the security industry, and browsers are particularly vulnerable to security holes due to their complexity.

It will be interesting to see how Google's patching process works in this case - it's very unlikely to be the only security hole in their browser.

8:56 pm on Sep 3, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Well, google covered their ass by labeling Chrome as being 'beta' :P
9:10 pm on Sep 3, 2008 (gmt 0)

5+ Year Member



being 'beta'

gmail is still beta. Indeed looks like ****** coverage
9:30 pm on Sep 3, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I think this is funny considering the emphasis they put on that feature in the webcast. They were so happy about one click downloading and execution. I wondered how long it'd go before someone came out against it.
9:40 pm on Sep 3, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



but I thought Google Chrome only used the same rendering engine.

Within the Register url posted by PageOneResults they mention this at the bottom of page.

[theregister.co.uk...]

Apple patched the vulnerability with Safari v3.1.2, but the underlying software behind Chrome is based on older code, hence the vulnerability.
9:40 pm on Sep 3, 2008 (gmt 0)

5+ Year Member



I really hoped Google had developed a browser from the ground up. Ouch, Safari bugs, not good press for Google.
11:22 pm on Sep 3, 2008 (gmt 0)

10+ Year Member



Is that the same "Security Flaw" I saw in the article in ReadWriteWeb by Frederic Lardinois? (I think perhaps I am not allowed to post the link to it here?)
1:01 am on Sep 4, 2008 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Same one - there's only one Chrome security flaw being kicked around at the moment, and this one is apparently inherited from the WebKit engine that Chrome uses.

As with Safari, just make the intentional decision about where to store your downloads and you've bypassed the vulnerability.

11:08 am on Sep 4, 2008 (gmt 0)

5+ Year Member



mozilla with new look = google chrome
2:37 pm on Sep 4, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



More trouble for Google Chrome Browser:

An issue exists in how chrome behaves with undefined-handlers in chrome.dll version
0.2.149.27. A crash can result without user interaction. When a user is made to visit
a malicious link, which has an undefined handler followed by a 'special' character,
the chrome crashes with a Google Chrome message window "Whoa! Google Chrome has crashed.
Restart now?".

[evilfingers.com...]

[edited by: tedster at 3:51 pm (utc) on Sep. 4, 2008]
[edit reason] attribute the quote [/edit]

3:53 pm on Sep 4, 2008 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



That's an interesting report - but apparently the browser crashes rather than becoming open to an exploit. Not too much of a worry unless someone finds a malicious way to exploit the crash.
4:32 pm on Sep 4, 2008 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Google Chrome is an early beta - so crashes are normal, and expected. I would consider the second as being a simple bug report, not a "security advisory". It's just spin/marketing from wannabe security experts feeding on the hype of a product launch.
5:03 pm on Sep 4, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



More info.

It seems that someone has found a DoS in Google Chrome. What's interesting is that one of the thngs that Chrome does is process separation between tabs (or so they claim), yet this DoS manages to take out all of Chrome, not just the tab you visit the page in.
8:10 pm on Sep 4, 2008 (gmt 0)

10+ Year Member



Can you believe that is one of the first things I did after downloading?

That's always the first thing I do with any new browser download. Who wants to go digging after a download several folders deep?

9:38 pm on Sep 4, 2008 (gmt 0)

5+ Year Member



there is few things that Google has that is no longer in Beta...
10:10 pm on Sep 4, 2008 (gmt 0)

WebmasterWorld Senior Member zeus is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I was just waiting for this news from the media, just on TV "Google Chrome gives every user a identity no." so they know how surfs what, they just cant let it be, they keep collecting personal info as much as possible.
11:55 pm on Sep 4, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member




Google Chrome is an early beta

Those who push an 'early beta' on the general public via a prominent link on one of the web's main search interfaces deserve the result.

Regarding that entire Chrome marketing sentence on the Google main page - it was only a couple of months back that adding the one word 'Privacy' required the intervention of 'The Founders' and the removal of the word 'Copyright' to maintain some mystical word count...

11:17 am on Sep 5, 2008 (gmt 0)

10+ Year Member



Those who push an 'early beta' on the general public via a prominent link on one of the web's main search interfaces deserve the result.

Absolutely! I had my mum asking me should she download this Chrome Beta thing that Google was on about. I'm guessing there are lots of people who don't have a clue what beta software is.
3:11 pm on Sep 5, 2008 (gmt 0)

5+ Year Member



yeah beta software to most people means 'new' or 'shiny'. Where most developers know, 'pre release' or 'ready for user testing'. Its common to find bugs with a new product, hopefully there wont be too many with chrome!
7:32 pm on Sep 5, 2008 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Google tends to use the word "beta" in a non-standard way. They keep the label for a long, long time. Google Chrome has been under development for what, 3-4 years? For lots of companies, that would be version 3!
12:17 am on Sep 6, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I was just waiting for this news from the media, just on TV "Google Chrome gives every user a identity no." so they know how surfs what, they just cant let it be, they keep collecting personal info as much as possible.

Google phones home with your system variables and assigns your browser an unique user ID among other tracking data. And you get a brand new shiny Google tracking cookie that lasts 2 years.

/service/check2?appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D
&appversion=1.2.131.11&applang=&machine=0&version=1.2.131.11
&machineid=%7B4F599683-B0DE-46F0-A73C-E8A4623C92BD%7D
&userid=%7BAD99E17C-DE6C-4ED7-8FE7-4919642086C7%7D&osversion=5.1
&servicepack=Service%20Pack%202 HTTP/1.1
User-Agent: Google Update/1.2.131.11;winhttp
Host: cr-tools.clients.google.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
12:26 am on Sep 6, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Additionally, there is another privacy factor in using Google Chrome

Los Angeles (CA) – Can a browser’s search function work too well? After playing around with Google’s brand new Chrome browser, we’ve discovered that its history search box will fetch all types of data - even text from HTTPS-protected financial sites like Washington Mutual and Capital One. With a few utterly simple keywords like balance, account and Sept., everything from balance information, account numbers and even how much you spent at Costco can be pulled up.

[tgdaily.com...]

[edited by: tedster at 2:24 am (utc) on Sep. 6, 2008]
[edit reason] make link cliackable [/edit]

12:33 am on Sep 6, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Auto-Suggest Privacy Issues with Google Chrome.

Yes, we will creepily retain your input.

Provided that users leave Chrome's auto-suggest feature on and have Google as their default search provider, Google will have access to any keystrokes that are typed into the browser's Omnibox, even before a user hits enter.

What's more, Google has every intention of retaining some of that data even after it provides the promised suggestions. A Google representative told CNET News that the company plans to store about 2 percent of that data--and plans to store it along with the Internet Protocol address of the computer that typed it.

[news.cnet.com...]

[edited by: tedster at 2:25 am (utc) on Sep. 6, 2008]
[edit reason] make link clickable [/edit]

2:32 am on Sep 6, 2008 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Here's another report for a different vulnerability:

The vulnerability is caused due to a boundary error when handling the
"SaveAs" function. On saving a malicious page with an overly long title
(<title> tag in HTML), the program causes a stack-based overflow and makes
it possible for attackers to execute arbitrary code on users' systems.

[securityfocus.com...]

11:05 am on Sep 6, 2008 (gmt 0)

WebmasterWorld Senior Member billys is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I still don't know why they announced the beta on their home page so quickly. They better close these gaps quickly.
3:51 pm on Sep 6, 2008 (gmt 0)

WebmasterWorld Senior Member zeus is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Billys - you can be sure they will NEVER close all trackings, thats what google is about to get as much info as possible, for ads and who knows what. The reason for a browser from google is new informations from the users, its that simple.
4:53 pm on Sep 6, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Using a Packet Sniffer to See What Google Chrome Sends Back to Google Labs.

If you use Google Chrome, Google will know every URL you type into the location bar. More than that, they will know (almost) every partial URL you type into the location bar. More than that, they will know every word or phrase you type into the location bar, even if you type it and then delete it before pressing enter. More than that, all this information can be linked with your main Google account, because Google sends your cookie along with every automatic search it performs from the location bar. Chrome will use the cookie of whatever Google account you are currently logged into.

Additionally, this data will be sent to Yahoo or MSN if you have enabled them as the default search engine.

[coderrr.wordpress.com...]

[edited by: tedster at 8:22 pm (utc) on Sep. 6, 2008]
[edit reason] make link clickable [/edit]

This 33 message thread spans 2 pages: 33
 

Featured Threads

Hot Threads This Week

Hot Threads This Month