Google Chrome Automatic File Download Exploit

This exploit allows files to be downloaded automatically onto your computer without warning (i.e. the user is not presented with a confirmation message box prior to the download beginning).

At first whilst the implications of this exploit appear to be limited, some reseachers have suggested that ...merely opening a folder in a GUI triggers exploitable actions such as icon display. Desktop.ini in Windows triggers actions when its containing folder is opened. Selecting a file to delete it can trigger other exploitable actions. Anti-virus scans and other automatic processes can be exploited by the download or even the mere presence of some hostile files.

Therefore users are advised to proceed with caution when visiting unknown sites.

A PoC is available at websecurity.com.ua.

Affected Versions
0.2.149.27

References
http://websecurity.com.ua/2404/
http://milw0rm.org/exploits/6355
http://seclists.org/bugtraq/2008/Sep/0037.html

Permalink: Google Chrome Automatic File Download Exploit (bookmark@delicious)

• Chrome News
• Chrome Tips
• Chrome Vulnerabilities
• Chrome Humour