Just hours after the release of the Google Chrome browser last month, researcher Aviv Raff discovered that he could combine two vulnerabilities -- a flaw in Apple Safari (WebKit) and a Java bug -- to trick users into launching executables direct from the new browser. (Here's a demo showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.
Now, it looks like Google is finally taking the threat seriously with the release of a new Chrome version to developers that changes the download behavior for files that could execute code.
From the changelog:
- This [version] adds prompting for dangerous types of files (executable) when they are automatically downloaded.
- The file is saved with a temporary name (dangerous_download_xxxx.download) in the download directory and the user is presented (in the download shelf and the download tab if opened) with a warning message and buttons to save/discard the download.
- If discarded the download is removed (and its file deleted). If saved, download goes as usual.
- Dangerous downloads not confirmed by the user are deleted on shutdown.