Just hours after the release of the Google Chrome browser last month, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug — to trick users into launching executables direct from the new browser. (Here’s a demo showing how Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.
Now, it looks like Google is finally taking the threat seriously with the release of a new Chrome version to developers that change the download behavior for files that could execute code.
From the changelog:
· This [version] adds prompting for dangerous types of files (executable) when they are automatically downloaded.
· The file is saved with a temporary name (dangerous_download_xxxx.download) in the download directory and the user is presented (in the download shelf and the download tab if opened) with a warning message and buttons to save/discard the download.
· If discarded the download is removed (and its file deleted). If saved, download goes as usual.
Dangerous downloads not confirmed by the user are deleted on shutdown.
More on Google Chrome>
Google Chrome browser losing marketshare after initial surge
Google's Chrome Browser Not Yet Secure
No comments:
Post a Comment