【转帖】据说Google Chrome的口令管理器也有问题

hardywang · Sep 15th, 2008, 16:45

http://www.p2pnet.net/story/16889

Google Chrome security flaws
p2pnet news view Products | Security:- Ooops.

“Google Chrome’s password manager failed more tests than any other browser I’ve tried,” says Chapin Information Services’ Robert Chapin in a p2pnet Reader’s Write.

Now, “Google’s shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks,” says ZDNet, going on:

“Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities - a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference - to trick users into launching executables direct from the new browser.

“Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.”

Raff’s proof-of-concept code shows how two mouse clicks are all that’s needed to plant malware on Windows desktops, says the story, also pointing out the user-agent shows Chrome is in fact WebKit 525.13 (Safari 3.1), an outdated/vulnerable version of that browser.

“Apple patched the carpet-bombing issue with Safari v3.1.2,” ZDNet says, adding some Windows Vista users are reporting downloaded files are, “automatically dropped on the desktop, setting up a scenario where a combo-attack using this unpatched IE flaw could be used in attacks”

Stay tuned.

Sep 15th, 2008, 16:45	#1
hardywang 在青麦地上跑着 / 雪和太阳的光芒注册日期: Jul 2004 住址: Kilimanjaro 帖子: 9,428 积分:24 精华:16	【转帖】据说Google Chrome的口令管理器也有问题 http://www.p2pnet.net/story/16889 Google Chrome security flaws p2pnet news view Products \| Security:- Ooops. “Google Chrome’s password manager failed more tests than any other browser I’ve tried,” says Chapin Information Services’ Robert Chapin in a p2pnet Reader’s Write. Now, “Google’s shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks,” says ZDNet, going on: “Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities - a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference - to trick users into launching executables direct from the new browser. “Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.” Raff’s proof-of-concept code shows how two mouse clicks are all that’s needed to plant malware on Windows desktops, says the story, also pointing out the user-agent shows Chrome is in fact WebKit 525.13 (Safari 3.1), an outdated/vulnerable version of that browser. “Apple patched the carpet-bombing issue with Safari v3.1.2,” ZDNet says, adding some Windows Vista users are reporting downloaded files are, “automatically dropped on the desktop, setting up a scenario where a combo-attack using this unpatched IE flaw could be used in attacks” Stay tuned.
	秘鲁游记突尼斯游记坦桑尼亚游记