Attackers can combine the months-old "carpet bomb" bug with another flaw disclosed last month to trick people running Google's brand-new Chrome browser into downloading and launching malicious code, a security researcher has warned.
The attacks are possible because Google used an older version of WebKit, the open-source rendering engine that also powers Apple's Safari, as the foundation of Chrome, said Israeli researcher Aviv Raff on Wednesday.
Raff posted a proof-of-concept exploit to demonstrate how hackers could create a new "blended threat" - so-named because it relies on multiple vulnerabilities - to attack Chrome.
"This is different from the Safari/IE blended threat," said Raff in an interview conducted via instant messaging. "It's a different blend with one similar component. It uses the auto-download vulnerability (aka 'Carpet Bomb') in combination with a [user interface] design flaw and an issue with Java that doesn't display a warning on execution of JAR files downloaded from the Internet." Raff's reference to the earlier Safari/IE blended threat was to his May report that said a bug in Apple's Safari browser could be paired with an unpatched vulnerability in Microsoft's Internet Explorer (IE) to compromise Windows PCs.
The "carpet bomb" bug, revealed by researcher Nitesh Dhanjani in May and named for the way it could be used to dump files onto the Windows desktop, stemmed from the fact that Safari did not require a user's permission to download a file. Attackers, Dhanjani said, could populate a malicious site with rogue code that Safari would automatically download to the desktop, where it might tempt a curious user into opening the file.
After first balking - for a time it refused the classify the flaw as a security vulnerability - Apple patched the bug in mid-June by updating Safari to 3.1.2.
But Google used a pre-patch version of WebKit to build Chrome, and so the bug, which was also patched in later editions of WebKit, slipped through. According to Raff, the Chrome beta uses the older WebKit 525.13, the engine used by Safari 3.1.
Raff combined the still-there carpet bomb bug with another reported by UK-based penetration tester Petko Petkov at the Black Hat security conference last month. At the time, Petkov outlined how a Java flaw allows Windows to automatically execute JAR files without prompting or warning the user.
Chrome also contributes to the problem, said Raff, by making downloaded files appear as buttons at the bottom of the browser's frame. "One click on this button will execute the file," Raff said. Attackers could place malware on a malicious site, then wait for - or better yet, draw in - users running Chrome. The browser would not warn the user of the JAR file automatically downloaded from the site, and the button-style indicator in Chrome could be easily mistaken for part of the application.
Users can set an option in Chrome that will thwart Raff's exploit by popping up a warning asking for a filename and location for any downloaded file. To change Chrome, select Options under the "Customize and control Google Chrome" menu; the menu is at the far right, near the top, and although not named, looks like a small wrench. Next, click the "Minor Tweaks" tab in the Options window, then check the box that reads "Ask where to save each file before downloading."
The blended threat, Raff argued, illustrates a bigger problem for Chrome, which has borrowed components from both Safari - via WebKit - as well as unspecified pieces of Mozilla's open-source Firefox.
Calling the approach "problematic" from a security standpoint, Raff wondered how quickly Google will be able to patch problems in Chrome.
"They'll have to track all security vulnerabilities in those [borrowed] features, and fix them in Chrome too," Raff said in the blog post that spelled out more detail of the Chrome/Java blended threat. "This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported. It will put Chrome users at risk for a long time."