Blended threat can take down PCs running the browser, says researcher
(Computerworld) Attackers can combine a months-old "carpet bomb" bug with another flaw disclosed last month to trick people running Google Inc.'s brand-new Chrome browser into downloading and launching malicious code, a security researcher said today.
The attacks are possible because Google used an older version of WebKit, an open-source rendering engine that also powers Apple Inc.'s Safari, as the foundation of Chrome, said Israeli researcher Aviv Raff on Wednesday.
Raff posted a proof-of-concept exploit to demonstrate how hackers could create a new "blended threat" -- so-named because it relies on multiple vulnerabilities -- to attack Chrome, the browser Google released this week.
"This is different from the Safari/IE blended threat," said Raff in an interview conducted via instant messaging. "It's a different blend with one similar component. It uses the auto-download vulnerability (aka 'Carpet Bomb') in combination with a [user interface] design flaw and an issue with Java that doesn't display a warning on execution of JAR files downloaded from the Internet." Raff's reference to the earlier Safari/IE blended threat was to his May report that said a bug in Apple's Safari browser could be paired with an unpatched vulnerability in Microsoft Corp.'s Internet Explorer (IE) to compromise Windows PCs...............
More: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114078&source=NLT_VVR&nlid=37
(Computerworld) Attackers can combine a months-old "carpet bomb" bug with another flaw disclosed last month to trick people running Google Inc.'s brand-new Chrome browser into downloading and launching malicious code, a security researcher said today.
The attacks are possible because Google used an older version of WebKit, an open-source rendering engine that also powers Apple Inc.'s Safari, as the foundation of Chrome, said Israeli researcher Aviv Raff on Wednesday.
Raff posted a proof-of-concept exploit to demonstrate how hackers could create a new "blended threat" -- so-named because it relies on multiple vulnerabilities -- to attack Chrome, the browser Google released this week.
"This is different from the Safari/IE blended threat," said Raff in an interview conducted via instant messaging. "It's a different blend with one similar component. It uses the auto-download vulnerability (aka 'Carpet Bomb') in combination with a [user interface] design flaw and an issue with Java that doesn't display a warning on execution of JAR files downloaded from the Internet." Raff's reference to the earlier Safari/IE blended threat was to his May report that said a bug in Apple's Safari browser could be paired with an unpatched vulnerability in Microsoft Corp.'s Internet Explorer (IE) to compromise Windows PCs...............
More: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114078&source=NLT_VVR&nlid=37
