News

Google Chrome at Risk from 'Carpet Bomb' Bug

Attackers can combine the months-old "carpet bomb" bug with another flaw disclosed last month to trick people running Google's brand-new Chrome browser into downloading and launching malicious code.

By Gregg Keizer, Computerworld

Users can set an option in Chrome that will thwart Raff's exploit by popping up a warning asking for a filename and location for any downloaded file. To change Chrome, select Options under the "Customize and control Google Chrome " menu; the menu is at the far right, near the top, and although not named, looks like a small wrench. Next, click the "Minor Tweaks" tab in the Options window, then check the box that reads "Ask where to save each file before downloading." The blended threat, Raff argued, illustrates a bigger problem for Chrome, which has borrowed components from both Safari -- via WebKit -- as well as unspecified pieces of Mozilla Corp.'s open-source Firefox.

Calling the approach "problematic" from a security standpoint, Raff wondered how quickly Google will be able to patch problems in Chrome.

"They'll have to track all security vulnerabilities in those [borrowed] features, and fix them in Chrome too," Raff said in the blog post that spelled out more detail of the Chrome/Java blended threat. "This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported. It will put Chrome users at risk for a long time."

Chrome can be downloaded in a version for Windows XP and Vista.

• Email
• Print
• Comments
• Digg This
• SlashDot