Google Chrome vulnerable to 'carpet bomb' attack

Attackers can combine the months-old "carpet bomb" bug with another flaw disclosed last month to trick people running Google's brand-new Chrome browser into downloading and launching malicious code, a security researcher said today.

Share

Attackers can combine the months-old "carpet bomb" bug with another flaw disclosed last month to trick people running Google's brand-new Chrome browser into downloading and launching malicious code, a security researcher said today.

The attacks are possible because Google used an older version of WebKit, the open-source rendering engine that also power Apple's Safari, as the foundation of Chrome, said Israeli researcher Aviv Raff on Wednesday.

Raff posted a proof-of-concept exploit to demonstrate how hackers could create a new "blended threat" -- so-named because it relies on multiple vulnerabilities -- to attack Chrome, the browser Google released this week.

"This is different from the Safari/IE blended threat," said Raff in an interview conducted via instant messaging. "It's a different blend with one similar component.

It uses the auto-download vulnerability (aka 'Carpet Bomb') in combination with a [user interface] design flaw and an issue with Java that doesn't display a warning on execution of JAR files downloaded from the Internet." Raff's reference to the earlier Safari/IE blended threat was to his May report that said a bug in Apple Inc.'s Safari browser could be paired with an unpatched vulnerability in Microsoft Corp.'s Internet Explorer (IE) to compromise Windows PCs.

The "carpet bomb" bug, revealed by researcher Nitesh Dhanjani in early May and named for the way it could be used to dump files onto the Windows desktop, stemmed from the fact that Safari did not require a user's permission to download a file. Attackers, Dhanjani said, could populate a malicious site with rogue code that Safari would automatically download to the desktop, where it might tempt a curious user into opening the file.

After first balking -- for a time it refused the classify the flaw as a security vulnerability -- Apple patched the bug in mid-June by updating Safari to 3.1.2.