Google Chrome at risk from 'carpet bomb' bug

Chrome suffers similar vulnerability to Apple's Safari carpet bomb bug.

Attackers can combine the months-old "carpet bomb" bug with another flaw disclosed last month to trick people running Google's brand-new Chrome browser into downloading and launching malicious code, a security researcher said today.

The attacks are possible because Google used an older version of WebKit, the open-source rendering engine that also powers Apple's Safari, as the foundation of Chrome, said Israeli researcher Aviv Raff on Wednesday.

Raff posted a proof-of-concept exploit to demonstrate how hackers could create a new "blended threat" -- so-named because it relies on multiple vulnerabilities -- to attack Chrome, the browser Google released this week.

"This is different from the Safari/IE blended threat," said Raff in an interview conducted via instant messaging. "It's a different blend with one similar component. It uses the auto-download vulnerability (aka 'Carpet Bomb') in combination with a [user interface] design flaw and an issue with Java that doesn't display a warning on execution of JAR files downloaded from the Internet." Raff's reference to the earlier Safari/IE blended threat was to his May report that said a bug in Apple's Safari browser could be paired with an unpatched vulnerability in Microsoft's Internet Explorer (IE) to compromise Windows PCs.

The "carpet bomb" bug, revealed by researcher Nitesh Dhanjani in early May and named for the way it could be used to dump files onto the Windows desktop, stemmed from the fact that Safari did not require a user's permission to download a file. Attackers, Dhanjani said, could populate a malicious site with rogue code that Safari would automatically download to the desktop, where it might tempt a curious user into opening the file.

After first balking -- for a time it refused the classify the flaw as a security vulnerability -- Apple patched the bug in mid-June by updating Safari to 3.1.2.

But Google used a pre-patch version of WebKit to build Chrome, and so the bug, which was also patched in later editions of WebKit, slipped through. According to Raff, the Chrome beta uses the older WebKit 525.13, the engine used by Safari 3.1.

Raff combined the still-there carpet bomb bug with another reported by U.K.-based penetration tester Petko Petkov at the Black Hat security conference last month. At the time, Petkov outlined how a Java flaw allows Windows to automatically execute JAR files without prompting or warning the user.

Chrome also contributes to the problem, said Raff, by making downloaded files appear as buttons at the bottom of the browser's frame. "One click on this button will execute the file," Raff said. Attackers could place malware on a malicious site, then wait for -- or better yet, draw in -- users running Chrome. The browser would not warn the user of the JAR file automatically downloaded from the site, and the button-style indicator in Chrome could be easily mistaken for part of the application.

Users can set an option in Chrome that will thwart Raff's exploit by popping up a warning asking for a filename and location for any downloaded file. To change Chrome, select Options under the "Customize and control Google Chrome" menu; the menu is at the far right, near the top, and although not named, looks like a small wrench. Next, click the "Minor Tweaks" tab in the Options window, then check the box that reads "Ask where to save each file before downloading."

The blended threat, Raff argued, illustrates a bigger problem for Chrome, which has borrowed components from both Safari -- via WebKit -- as well as unspecified pieces of Mozilla Corp.'s open-source Firefox.

Calling the approach "problematic" from a security standpoint, Raff wondered how quickly Google will be able to patch problems in Chrome.

"They'll have to track all security vulnerabilities in those [borrowed] features, and fix them in Chrome too," Raff said in the blog post that spelled out more detail of the Chrome/Java blended threat. "This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported. It will put Chrome users at risk for a long time."

Chrome can be downloaded in a version for Windows XP and Vista.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags carpet bomb bugchrome

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?