Google Chrome’s Blended Browser Threat Could Steal Files from your Computer
With this article I hope to make you aware of a vulnerability with Google Chrome version 18.104.22.168, and earlier versions. As I’m sure you know, Chrome is Google’s solution for a web browser. Chrome has grown in popularity over the years because of its speed and simplicity, and often ranks as one of the most downloaded web browsers. Because it is so widely used, it is important to understand this vulnerability, how it might affect you, and how you can mitigate the risk it poses to your computer and network.
Chrome, like all web browsers, includes the ability to download files from the Internet. However, unlike other browsers, Chrome’s download utility is set to automatically download files to your computer. Internet Explorer, by contrast, will display a “Save As” dialogue box to give the user options when saving a file. Although Chrome’s download functionality is more convenient, after all you only have to click a file and Chrome will automatically download it to your computer, Chrome did leave open the possibility of downloading malicious software.
To help mitigate vulnerabilities, Google did design the Chrome software to warn users when they attempt to download files with certain extensions, such as .exe, .htm, and .jar. However, not all potentially harmful file extensions were included in Google’s blacklist. If a user downloads a file with one of the extensions, such as .mht or .mhtml, the user will not get a warning message and the file could open other web browsers in the background to steal data of the computer.
This automatic download vulnerability is called a Blended Browser Threat because Chrome is used as the vehicle for the attack and a different web browser carries out the malicious intent f the software. By way of example, if a user wants to save a web page from within Chrome, the file automatically save and then be displayed in Chrome’s download bar. If the user clicks on the file in the download bar, or opens the file from another program such as Windows Explorer, the file will automatically open Internet Explorer. This vulnerability was particularly dangerous with Internet Explorer version 6, where the offending file would execute and then send you data and files to a remote destination.
This same vulnerability existed with the Safari web browser and its use of Scalable Vector Graphics files. These .svg files were particularly prevalent with older versions of Safari, so even if you have a newer version on your computer you most likely have .svg files in the program’s registry. This would help mask the malicious file with the .svg extension, and as with the Internet Explorer example, if the user clicks the .svg file in the Chrome download bar or opens it from another program, the software would execute code to open another browser window and being sending your data and files to another computer.
Thankfully Google recognized this vulnerability and have greatly mitigated it by updating their blacklist of potentially dangerous file extensions. So you definitely want to ensure update your version of Google Chrome if you are not running version 22.214.171.124. Also, make sure you configure your browser, regardless of which browser you prefer, to prompt you before downloading any file. Better safe than sorry is definitely an applicable practice when it comes to cyber security.
Although this vulnerability existed in earlier versions of Google Chrome and has since been greatly mitigated, it is still a risk, especially if you or one of your users is running older versions of web browsers. This vulnerability is also another example of how crafty and sneaky evil users can be and highlights that everyone, especially computer users and cyber security professionals, must remain vigilant and aware of the ever evolving threats.