Google downplays Chrome’s carpet-bombing flaw

Google ChromeIn a recent Q&A with Google’s Brian Rakowski, Philipp Lenssen asked him a question in regard to Chrome’s carpet-bombing flaw. Not surprising, considering that Apple refused to admit Safari’s carpet-bombing flaw at the first place, Google is too, downplaying it :

Lenssen: There are ways to make Chrome automatically download a file without the user confirming this (at least using Chrome’s default options). Don’t you consider that a potential problem?

Rakowski: On its own, downloading a file isn’t dangerous. It can be annoying if a site tries to download a bunch of files to fill up your hard drive, but there are other ways to do things like that and it hasn’t become a problem. The danger arises when an automatically downloaded file can be automatically executed. We’ve taken steps to prevent this in Google Chrome and will continue to make sure that this is the case. “

In reality, the danger arises from an automatically downloaded malicious file with a changed icon and a descriptive title or backdoored but legitimate Windows Office files downloaded without any notice, not from dumping hundreds of files on a particular desktop. Causing a denial of service attack next to dumping a piece of crimeware isn’t really going to do much for a malicious attacker wanting your Ebanking data.

The level or exploitability of any of Chrome’s vulnerabilities is proportional with its market share, and whereas there are noIcon Changer currently active malware attacks taking advantage of this particular flaw allowing them to dump a file on a visitor’s desktop, leaving this opportunity open won’t go unnoticed. As it appears, coming up with a simple script filling up someone’s hard drive upon visiting a specific site, seems to be the way to raise awareness on the potential for old school malware attacks relying on changed icons and the binaries spread across the desktop, and hopefully attract Google’s attention to the possibilities for abuse.

Chrome’s been receiving lots of criticism internationally, with Germany’s Federal Office for Information Security urging users not to use the browser, next to the Dutch Computer Emergency Response Team ( recommending its use only in test environments due to the BETA release. For the time being, it’s clearly a wait and see how they threat security issues type of situation.

[Source: zdnet]