Google Chrome has quickly become one of our favorite browsers here at RWW, but as Ryan Narraine, a security evangelist at Kaspersky Lab,reports, Chrome has also inherited a potentially serious security flaw from the old version of WebKit it is based on. An attacker could easily trick users into launching an executable Java file by combining a flaw in WebKit with a known Java bug and some smart social engineering.
Security expert Aviv Raff, who first discovered this flaw, set up a demo of the exploit here. (Note: This page will automatically download a Java file onto your desktop). You can safely click on the download, as it only opens up a notepad application written in Java.
Google, which shows the warning graphic here, calls these malware payloads "drive-by downloads."
The move comes just days after email marketing power Epsilon said that attackers had stolen customer data belonging to several of its clients, including Target. Epsilon said thieves might use the information to launch a phishing campaign to trick users out of more sensitive personal data.
For now, Google is test-driving its anti-drive-by download feature for a subset of users who subscribe to the Chrome development release channel.
The goal is to make this feature available to all users in the next stable release of Google Chrome, which would be Version 11. This browser version is still in the developer channel.
This is the latest in a line of malware defenses Google has created.
Google's Safe Browsing API lists malicious Websites to warn users of Google search and browsers such as Chrome, Mozilla Firefox and Apple Safari who try to visit these dangerous Web pages. While Safe Browsing has helped, plenty of Websites still execute click fraud, steal users' passwords or surface spam.
Google's new warning feature will be displayed for any download URL that matches the malicious Website URLs published by the Safe Browsing API.
However, this feature does not enable Google to determine the URLs users are visiting, in accordance with the Safe Browsing privacy rules.
It's heady days for hackers. In addition to the Epsilon breach, Google's new drive-by download protection comes just days after Google unveiled two security projects to improve the SSL (Secure Sockets Layer) infrastructure, which was rocked by the Comodo digital certificate spoofing incident late last month.
A lone hacker infiltrated Comodo Security's root authority system, logging in and issuing digital certificates to Websites owned by Microsoft, Google, Yahoo, Skype and Mozilla.
0 commentaires:
Enregistrer un commentaire