Zero Day

Ryan Naraine and Dancho Danchev

Google Chrome vulnerable to carpet-bombing flaw

By Ryan Naraine | September 2, 2008, 3:05pm PDT

Summary

Google’s shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks.
Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference [...]

Topics

Blogger Info

Ryan Naraine

Biography

Ryan Naraine

Ryan Naraine
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Dancho Danchev

Biography

Dancho Danchev

Dancho Danchev
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Google Chrome vulnerable to carpet-bombing flawGoogle’s shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks.

Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference — to trick users into launching executables direct from the new browser.

Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

[ SEE: Google Chrome, the security tidbits ]

In the proof-of-concept, Raff’s code shows how a malicious hacker can use a clever social engineering lure — it requires two mouse clicks — to plant malware on Windows desktops.

The Google Chrome user-agent shows that Chrome is actually WebKit 525.13 (Safari 3.1), which is an outdated/vulnerable version of that browser.

Apple patched the carpet-bombing issue with Safari v3.1.2.

Some Google Chrome early adopters using Windows Vista are reporting that files downloaded from the Internet are automatically dropped on the desktop, setting up a scenario where a combo-attack using this unpatched IE flaw could be used in attacks.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 129 Talkback(s)

  • ZDNet Gravatar
    reverseswing
    09/02/2008 03:18 PM
  • Especially when its built...
    ...on previously compromised code. Wonder if Apple bothered to remind them of that little factoid.
    ZDNet Gravatar
    flatliner
    09/02/2008 09:28 PM
  • Why would Apple tell them?
    Anyone can download the source. It's fairly difficult for all possessors of the source to be notified directly.
    ZDNet Gravatar
    rpmyers1
    09/03/2008 06:09 AM
  • No one except Google
    is to blame for this pathetic oversight.

    Sure, Apple's original software had the flaw, but given that this was s KNOWN flaw, once Google modified it and slapped its name on it Apple's responsibility ended.

    wow. pathetic, just pathetic
    ZDNet Gravatar
    tikigawd
    09/03/2008 09:16 AM
  • Yep. Pretty lame.
    I was wondering about it when I read that Chrome was based on WebKit, as is Safari.

    Duh.
    ZDNet Gravatar
    seanferd
    09/03/2008 06:59 PM
  • Give me a break! It's a BETA...
    Let me remind EVERYONE here, this is a BETA RELEASE... they have NOT yet CLAIMED to be vulnerability free!!! The point of a beta is to allow users to try a PRE-RELEASE of the software... when you download the software, you agree to their terms which states they take no responsibility for downloading the BETA PRE-RELEASE of the software... I will agree it seems silly that they didn't build off of the latest release of webkit, however, unless you are a coder, and unless you understand what must truely go into the creation of software, I don't want to hear your calling a brilliant new entry into the web browser war...
    ZDNet Gravatar
    jacobfogg
    09/04/2008 08:57 AM
  • As usaual...
    Im impressed by your (jason) beautiful words supporting the crashing of the Google Chrome. If this had happened to Microsoft, everyone will throw hot-blows on them. When it comes to Google Chrome, everyone speaking about; 'this is beta', 'there might be bugs', and thus the supporting explanations goes on.
    I still know alot of forums, shouting at the bugs in the IE8 beta release. At that time, there was no one to think that IE is in BETA state.
    Anyway, choices & opinions are personal. It will be much better, if u watch your back at the time of commenting.
    ZDNet Gravatar
    abhilashca
    (Edited: 09/04/2008 10:14 AM)
  • ie8 = beta?
    You are kidding, right? IE8 != IE1. It's evolutionary, not revolutionary. Chrome is brand spankin new, not built atop previous releases.

    It's an oversight on the version of the software used to build it, not something that's coded into the product.
    ZDNet Gravatar
    smoring
    09/05/2008 05:46 PM
  • except WebKit is NOT the compromised code
    the exploit has nothing to do with WebKit, but it's about
    Apple's decision to automatically download anything with Safari,
    which is part of the UI shell, not the webkit engine.

    Chrome already has an option to prompt every time before
    download, so it's actually NOT vulnerable to this carpet bombing
    exploit.
    ZDNet Gravatar
    wellofsouls
    09/03/2008 08:41 PM
  • more typical ZDnet FUD
    Chrome prevents access to user folders including the
    desktop using permissions. R-E-A-S-E-A-R-C-H
    ZDNet Gravatar
    ericesque
    09/02/2008 03:43 PM
  • Are u sure?
    Google did say they don't have full control of those plug-ins running inside Chrome.
    ZDNet Gravatar
    LBiege
    09/02/2008 03:45 PM
  • RTFA
    Did you see where demos were made, along with a link? Don't believe it? Try it yourself.
    ZDNet Gravatar
    rpmyers1
    09/02/2008 04:15 PM
  • OOPS
    Apologies!
    egg on face
    mouth outfitted with shoe store
    etc...

    In my defense, I read the whole comic, so clearly I am
    a Chrome security expert already... there must be
    something wrong with the intarweb.
    ZDNet Gravatar
    ericesque
    09/02/2008 06:06 PM
  • ZDNet Gravatar
    eggmanbubbagee@...
    09/03/2008 06:42 AM
  • RE: Google Chrome vulnerable to carpet-bombing flaw
    "Raff???s code shows how a malicious hacker can use a clever social engineering lure ??? it requires two mouse clicks ??? to plant malware on Windows desktops."

    I can do that in one click. Open Internet Explorer.
    ZDNet Gravatar
    drhowarddrfine
    09/02/2008 06:46 PM

Talkback - Tell Us What You Think

advertisement

Get it the way you want it

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

White Papers, Webcasts, & Resources
advertisement