News

Google Chrome at Risk from 'Carpet Bomb' Bug

Attackers can combine the months-old "carpet bomb" bug with another flaw disclosed last month to trick people running Google's brand-new Chrome browser into downloading and launching malicious code.

By Gregg Keizer, Computerworld

September 04, 2008CSO — Attackers can combine the months-old "carpet bomb" bug with another flaw disclosed last month to trick people running Google Inc.'s brand-new Chrome browser into downloading and launching malicious code, a security researcher said today.

The attacks are possible because Google used an older version of WebKit, the open-source rendering engine that also powers Apple Inc.'s Safari, as the foundation of Chrome, said Israeli researcher Aviv Raff on Wednesday.

Raff posted a proof-of-concept exploit to demonstrate how hackers could create a new "blended threat" -- so-named because it relies on multiple vulnerabilities -- to attack Chrome, the browser Google released this week.

"This is different from the Safari/IE blended threat," said Raff in an interview conducted via instant messaging. "It's a different blend with one similar component. It uses the auto-download vulnerability (aka 'Carpet Bomb') in combination with a [user interface] design flaw and an issue with Java that doesn't display a warning on execution of JAR files downloaded from the Internet." Raff's reference to the earlier Safari/IE blended threat was to his May report that said a bug in Apple Inc.'s Safari browser could be paired with an unpatched vulnerability in Microsoft Corp.'s Internet Explorer (IE) to compromise Windows PCs.

The "carpet bomb" bug, revealed by researcher Nitesh Dhanjani in early May and named for the way it could be used to dump files onto the Windows desktop, stemmed from the fact that Safari did not require a user's permission to download a file. Attackers, Dhanjani said, could populate a malicious site with rogue code that Safari would automatically download to the desktop, where it might tempt a curious user into opening the file.

After first balking -- for a time it refused the classify the flaw as a security vulnerability -- Apple patched the bug in mid-June by updating Safari to 3.1.2. But Google used a pre-patch version of WebKit to build Chrome, and so the bug, which was also patched in later editions of WebKit, slipped through. According to Raff, the Chrome beta uses the older WebKit 525.13, the engine used by Safari 3.1.

Raff combined the still-there carpet bomb bug with another reported by U.K.-based penetration tester Petko Petkov at the Black Hat security conference last month. At the time, Petkov outlined how a Java flaw allows Windows to automatically execute JAR files without prompting or warning the user.

Chrome also contributes to the problem, said Raff, by making downloaded files appear as buttons at the bottom of the browser's frame. "One click on this button will execute the file," Raff said. Attackers could place malware on a malicious site, then wait for -- or better yet, draw in -- users running Chrome. The browser would not warn the user of the JAR file automatically downloaded from the site, and the button-style indicator in Chrome could be easily mistaken for part of the application.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

The Case for Business Software Assurance ~ Securing Your Applications

IS/IT Project Mgt. Credentials From Villanova - 100% Online

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Configuration Assessment: Choosing the Right Solution

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

Rolling the dice with your security? Take the Self-Assessment Test now

Digital Identity Protection and Data Security Get Personal

Solving Online Credit Fraud Using Device Reputation

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage