Google’s Chrome hit the Web on September 2 with promises of solid security, but not a day after its launch and already, there were reports of possible vulnerabilities in the much-vaunted new browser to make it a platform for malware infection.
Google has not been shy about acknowledging Chrome’s debt to many open source projects, including Apple’s WebKit. WebKit 525.13, which was adopted by Chrome, is actually the same involved in the carpet-bombing issue that plagued Safari. In the past, a flaw in this version of WebKit has been used to force Safari users operating in a Windows environment to download and execute malicious files with absolutely no prompting, upon stumbling into a booby-trapped Web site.
Reportedly, Vista users noticed that the browser downloaded files straight to the Desktop without any warning. Trend Micro Advanced Threats Researcher Joey Costoya has found that this is because the new browser is set by default to download files without prompting. This feature can be used by malicious users to their advantage, as in the PoC demo that security researcher Aviv Raff presented, involving embedded iFrame tags that point to the download of a Java Archive file. However, Costoya adds that the malicious files will only execute if a user actually clicks on it in the download toolbar (this normally shows the most recent downloads) conspicuously placed at the bottom of the browser window.
The simplest way for users to address this is: In Options>Minor Tweaks, you can click on the check box beside ‘Ask where to save each file before downloading’ to receive a prompt each time a file is about to be downloaded. You can also, of course, change the download location to somewhere more fitting to your tastes, but unless you click the check box below it, no prompt will appear.
Of course, this is just one measure to protect against very plausible online threats when using the shiny new Chrome. Advanced Threats Researcher Paul Ferguson says, “This is exactly what people have been talking about when saying that by (using) Chrome (you can run) Web 2.0 applications better… but unless there are clear, simple, and concise ways to selectively disable these ‘victimization elements’, it just allows Chrome users to (be) victimized as usual.”
Don’t bet the farm on Google’s challenger to IE and Firefox just yet (although Chrome does build upon Mozilla’s technology). Just soon after the PoC, Cnet News reports that Chrome can crash when presented with a bad link.