Welcome to WebmasterWorld Guest from 22.214.171.124
Forum Moderators: incrediBILL
US-CERT is aware of a vulnerability that affects the Google Chrome web browser. This vulnerability is due to a default configuration that allows files to be downloaded without prompting the user. In addition, downloaded files can be opened with a single click, which could allow a user to inadvertently open a malicious file.US-CERT encourages users to enable the "Ask where to save each file before downloading" option within the "Minor Tweaks" tab in the browser preferences. Although this does not fix the underlying vulnerability, selecting this option will warn the user before files are downloaded. Users should still exercise caution when visiting and downloading items from untrusted websites.US-CERT will provide additional information as it becomes available.
The alert is running on the US-CERT Current Activity page [us-cert.gov] right now, but not much else for details.
US-CERT encourages users to enable the "Ask where to save each file before downloading" option within the "Minor Tweaks" tab in the browser preferences.
Can you believe that is one of the first things I did after downloading? :)
How ironic eh? How many more of these are we going to see over the next who knows how long? ;)
It will be interesting to see how Google's patching process works in this case - it's very unlikely to be the only security hole in their browser.
but I thought Google Chrome only used the same rendering engine.
Within the Register url posted by PageOneResults they mention this at the bottom of page.
Apple patched the vulnerability with Safari v3.1.2, but the underlying software behind Chrome is based on older code, hence the vulnerability.
As with Safari, just make the intentional decision about where to store your downloads and you've bypassed the vulnerability.
An issue exists in how chrome behaves with undefined-handlers in chrome.dll version
0.2.149.27. A crash can result without user interaction. When a user is made to visit
a malicious link, which has an undefined handler followed by a 'special' character,
the chrome crashes with a Google Chrome message window "Whoa! Google Chrome has crashed.
[edited by: tedster at 3:51 pm (utc) on Sep. 4, 2008]
[edit reason] attribute the quote [/edit]
It seems that someone has found a DoS in Google Chrome. What's interesting is that one of the thngs that Chrome does is process separation between tabs (or so they claim), yet this DoS manages to take out all of Chrome, not just the tab you visit the page in.
Google Chrome is an early beta
Regarding that entire Chrome marketing sentence on the Google main page - it was only a couple of months back that adding the one word 'Privacy' required the intervention of 'The Founders' and the removal of the word 'Copyright' to maintain some mystical word count...
Those who push an 'early beta' on the general public via a prominent link on one of the web's main search interfaces deserve the result.
I was just waiting for this news from the media, just on TV "Google Chrome gives every user a identity no." so they know how surfs what, they just cant let it be, they keep collecting personal info as much as possible.
Google phones home with your system variables and assigns your browser an unique user ID among other tracking data. And you get a brand new shiny Google tracking cookie that lasts 2 years.
User-Agent: Google Update/126.96.36.199;winhttp
Los Angeles (CA) – Can a browser’s search function work too well? After playing around with Google’s brand new Chrome browser, we’ve discovered that its history search box will fetch all types of data - even text from HTTPS-protected financial sites like Washington Mutual and Capital One. With a few utterly simple keywords like balance, account and Sept., everything from balance information, account numbers and even how much you spent at Costco can be pulled up.
[edited by: tedster at 2:24 am (utc) on Sep. 6, 2008]
[edit reason] make link cliackable [/edit]
Yes, we will creepily retain your input.
Provided that users leave Chrome's auto-suggest feature on and have Google as their default search provider, Google will have access to any keystrokes that are typed into the browser's Omnibox, even before a user hits enter.
What's more, Google has every intention of retaining some of that data even after it provides the promised suggestions. A Google representative told CNET News that the company plans to store about 2 percent of that data--and plans to store it along with the Internet Protocol address of the computer that typed it.
[edited by: tedster at 2:25 am (utc) on Sep. 6, 2008]
[edit reason] make link clickable [/edit]
The vulnerability is caused due to a boundary error when handling the
"SaveAs" function. On saving a malicious page with an overly long title
(<title> tag in HTML), the program causes a stack-based overflow and makes
it possible for attackers to execute arbitrary code on users' systems.
If you use Google Chrome, Google will know every URL you type into the location bar. More than that, they will know (almost) every partial URL you type into the location bar. More than that, they will know every word or phrase you type into the location bar, even if you type it and then delete it before pressing enter. More than that, all this information can be linked with your main Google account, because Google sends your cookie along with every automatic search it performs from the location bar. Chrome will use the cookie of whatever Google account you are currently logged into.
Additionally, this data will be sent to Yahoo or MSN if you have enabled them as the default search engine.
[edited by: tedster at 8:22 pm (utc) on Sep. 6, 2008]
[edit reason] make link clickable [/edit]