Google readying fix for Chrome file download flaw

Just hours after the release of the Google Chrome browser last month, researcher Aviv Raff discovered that he could combine two vulnerabilities -- a flaw in Apple Safari (WebKit) and a Java bug -- to trick users into launching executables direct from the new browser. (Here's a demo showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

Google Chrome security patch
Just hours after the release of the Google Chrome browser last month, researcher Aviv Raff discovered that he could combine two vulnerabilities -- a flaw in Apple Safari (WebKit) and a Java bug -- to trick users into launching executables direct from the new browser. (Here's a demo showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

Now, it looks like Google is finally taking the threat seriously with the release of a new Chrome version to developers that  changes the download behavior for files that could execute code.

From the changelog:

  • This [version] adds prompting for dangerous types of files (executable) when they are automatically downloaded.
  • The file is saved with a temporary name (dangerous_download_xxxx.download) in the download directory and the user is presented (in the download shelf and the download tab if opened) with a warning message and buttons to save/discard the download.
  • If discarded the download is removed (and its file deleted). If saved, download goes as usual.
  • Dangerous downloads not confirmed by the user are deleted on shutdown.

ALSO SEE: Google Chrome vulnerable to carpet-bombing flaw Google Chrome, the security tidbits