Google readying fix for Chrome file download flaw

Google readying fix for Chrome file download flaw

Summary: Just hours after the release of the Google Chrome browser last month, researcher Aviv Raff discovered that he could combine two vulnerabilities -- a flaw in Apple Safari (WebKit) and a Java bug -- to trick users into launching executables direct from the new browser. (Here's a demo showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

SHARE:
TOPICS: Security, Browser, Google
11

Google Chrome security patchJust hours after the release of the Google Chrome browser last month, researcher Aviv Raff discovered that he could combine two vulnerabilities -- a flaw in Apple Safari (WebKit) and a Java bug -- to trick users into launching executables direct from the new browser. (Here's a demo showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

Now, it looks like Google is finally taking the threat seriously with the release of a new Chrome version to developers that  changes the download behavior for files that could execute code.

From the changelog:

  • This [version] adds prompting for dangerous types of files (executable) when they are automatically downloaded.
  • The file is saved with a temporary name (dangerous_download_xxxx.download) in the download directory and the user is presented (in the download shelf and the download tab if opened) with a warning message and buttons to save/discard the download.
  • If discarded the download is removed (and its file deleted). If saved, download goes as usual.
  • Dangerous downloads not confirmed by the user are deleted on shutdown.

ALSO SEE: Google Chrome vulnerable to carpet-bombing flaw Google Chrome, the security tidbits

Topics: Security, Browser, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Good

    Google is doing the right thing by addressing this flaw quickly. It's important if they want to Chromes reputation as a secure browser to stick. But I doubt that this is any serious threat. Chromes market share is next to nothing so I would be very surprised if any one tried to take advantage of this flaw.
    Viklund
  • hmm

    In the changelog you quote, Ryan, Google changed the
    name extension from dangerous_download_ to
    unconfirmed_.

    When is this due to be released - have you information
    on that?

    Regards,
    Narr Vi
    Narr vi
  • What ... there is another flaw in Chrome?

    The flaws found so far seam to be the easy kind to find. Wait until hackers start to dig deeper . . .
    rmark2
    • Whats your point?

      Its a beta - people finding problems is the whole idea so they can fix it. I am not using Chrome as my default browser yet because its not as good as i would like, i am still on firefox. But i like the interface and the performance of it, and when they get stuff ironed out i may well switch. At least they don't release a product and call it a production version when its still blatantly an early beta, unlike some large vendors i could think of.
      thelivo
  • Who decides what is dangerous?

    What allows this exploit to work is that a JAR file is not a Microsoft file type, and therefore the built-in Windows XP handling of downloaded files does not give any additional protection.

    But how is Google deciding what file types are dangerous? Nobody can know all of the various file types that are out there, and which ones are inherently dangerous. Or how about files for which the associated viewer applications may be horribly outdated and vulnerable.

    How about just prompting for *all* downloaded files, eh?
    forrestgump2000
  • 16805 employees no beta-testers

    I would have thought that with that many employees they could have found a few thousand beta-testers to try it before foisting it upon the public.

    I'm a little tired of concepts released as beta and all the lamers fixing it for them.

    Surely Google can do better?
    What are you guys doing with all that dough?
    topsecret1
    • not spending it on beta testing

      they can get for free!
      tikigawd
  • RE: Google readying fix for Chrome file download flaw

    whenever i try chrome i just get a ah snap msg... fix that..
    rickmlenator1
    • Symantec Endpoint Protection

      In most cases this issue is caused by Symantec Endpoint Protection complaining about Chrome's multi-process architecture and manually setting security tokens. Surprisingly, the code that is causing the failure is actually removing permissions, rather than try to add them.
      adzmsane
  • Why use Apple Crap

    Maybe they should have used Gecko rather than Apple Crap Safari (WebKit).
    graham.lv
    • RE: Why use Apple Crap

      Webkit existed before Safari. The fact that Apple uses
      it has nothing to do with this problem.

      And frankly, it's not crap... they have the earnings
      to prove it... and no I don't own a Macintosh.

      -M
      betelgeuse68