Google Chrome at risk from 'carpet bomb' bug

More

• Continuing coverage: Google's Chrome browser
• Review: Google's Chrome -- the first true Web 2.0 browser
• FAQ: Google polishes up its new browser, Chrome
• Researcher: Chrome's isolated tabs make it memory 'pig'
• Chrome grabs 1% of browser market in under 24 hours
• John Brandon: Chrome is Google 2.0
• Steven J. Vaughan-Nichols: Google Chrome: First run around the track
• Seth Weintraub: Google Chrome is a mixed bag for Apple
• First Look: Is Google's Chrome a glimpse of the future?
• Google's Chrome aims to kill Windows, make Web the OS of choice
• Preston Gralla: Chrome takes dead aim at Windows 7 and Microsoft Office

Computerworld - Attackers can combine a months-old "carpet bomb" bug with another flaw disclosed last month to trick people running Google Inc.'s brand-new Chrome browser into downloading and launching malicious code, a security researcher said today.

The attacks are possible because Google used an older version of WebKit, an open-source rendering engine that also powers Apple Inc.'s Safari, as the foundation of Chrome, said Israeli researcher Aviv Raff on Wednesday.

Raff posted a proof-of-concept exploit to demonstrate how hackers could create a new "blended threat" -- so-named because it relies on multiple vulnerabilities -- to attack Chrome, the browser Google released this week.

"This is different from the Safari/IE blended threat," said Raff in an interview conducted via instant messaging. "It's a different blend with one similar component. It uses the auto-download vulnerability (aka 'Carpet Bomb') in combination with a [user interface] design flaw and an issue with Java that doesn't display a warning on execution of JAR files downloaded from the Internet." Raff's reference to the earlier Safari/IE blended threat was to his May report that said a bug in Apple's Safari browser could be paired with an unpatched vulnerability in Microsoft Corp.'s Internet Explorer (IE) to compromise Windows PCs.

The carpet-bomb bug -- revealed by researcher Nitesh Dhanjani in early May and named for the way it could be used to dump files onto the Windows desktop -- stemmed from the fact that Safari did not require a user's permission to download a file. Attackers, Dhanjani said, could populate a malicious site with rogue code that Safari would automatically download to the desktop, where it might tempt a curious user into opening the file.

After first balking -- for a time it refused to classify the flaw as a security vulnerability -- Apple patched the bug in mid-June by updating Safari to 3.1.2.

But Google used a prepatch version of WebKit to build Chrome, and so the bug, which was also patched in later editions of WebKit, slipped through. According to Raff, the Chrome beta uses the older WebKit 525.13, the engine used by Safari 3.1.

Raff combined the still-there carpet-bomb bug with another reported by U.K.-based penetration tester Petko Petkov at the Black Hat security conference last month. At the time, Petkov outlined how a Java flaw allows Windows to automatically execute JAR files without prompting or warning the user.

Chrome also contributes to the problem, said Raff, by making downloaded files appear as buttons at the bottom of the browser's frame. "One click on this button will execute the file," Raff said. Attackers could place malware on a malicious site, then wait for -- or better yet, draw in -- users running Chrome. The browser would not warn the user of the JAR file automatically downloaded from the site, and the button-style indicator in Chrome could be easily mistaken for part of the application.