Google Chrome vulnerable to carpet-bombing flaw
See: http://blogs.zdnet.com/security/?p=1843
Basically Google is using a dated version of Webkit that allows people to launch executable files via the browser itself, without the user knowing.
It'll be interesting to see how fast a patch comes out for this.
(It just happened to me, that's what made me go searching for an answer at 4am)
ZenSix Hosting: Shared hosting starting at $25/year. Chrome convert on day one.
Re: Google Chrome vulnerable to carpet-bombing flaw
Proof of concept: http://raffon.net/research/google/chrome/carpet.html
Re: Google Chrome vulnerable to carpet-bombing flaw
Wow, I was wondering what the hell that arrow was pointing to.
That's just a user judgement there. It's not Google's Fault at all. If the user chose to open the file, it's on them, not the browser, now to go delete that.
Re: Google Chrome vulnerable to carpet-bombing flaw
I agree, this "Serious Flaw" is really only a problem for gullible users. This flaw require user interaction in an ignorant capacity, meaning that social engineering is the more significant flaw, and all products are vulnerable to that in some way or another.
That said, a patch to make this harder to pull over on people would be nice.
Re: Google Chrome vulnerable to carpet-bombing flaw
You don't really have to be a gullible user to be vulnerable to this bug. Simply visiting a site can force download a file to your desktop (or where ever you save files).
Of course executing them is a different story.
Either way, Google should have know about this, the Webkit version they used has been vulnerable for a long time now.
However, I'm sure it will be fixed soon and it's not going to stop me from enjoying my new default browser
Re: Google Chrome vulnerable to carpet-bombing flaw
That being where the gullibility comes in. It is one thing if you get suckered into going to a site that downloads something automatically. It is another thing entirely if you execute it without knowing what it is.Originally Posted by subigo
Oh well, as you said, we'll probably see it fixed soon. The Chrome team was probably more interested in getting everything working before picking out all of the smaller flaws.
Re: Google Chrome vulnerable to carpet-bombing flaw
Of course only a complete imbecile would execute the program. The point is it shouldn't have happened in the first place. Patch it ASAP.That being where the gullibility comes in. It is one thing if you get suckered into going to a site that downloads something automatically. It is another thing entirely if you execute it without knowing what it is.
Oh well, as you said, we'll probably see it fixed soon. The Chrome team was probably more interested in getting everything working before picking out all of the smaller flaws.
Re: Google Chrome vulnerable to carpet-bombing flaw
users can fix this themselves if they deign it important enough
Charlie is a bot etc but hes sexy
Re: Google Chrome vulnerable to carpet-bombing flaw
I think you meant "deem" not "deign." The funny thing is that it still works the way you wrote it, it just makes it sound like you're saying that "Users can fix this themselves if they're willing to condescend to program something."
Perhaps I'm missing some subtlety of English though...
No harm meant, I'm not here to be a grammar-scanner, I just though it was a funny slip.
Posting Permissions
Reply With Quote