Well, that didn't take long. Within hours of Chrome's release yesterday, security researcher Aviv Raff managed to find a hole in the new Google browser. As ZDNet reports, the flaw actually targets an older version of the WebKit rendering engine. Apple's latest Safari release (3.1.2) uses a newer WebKit release that's immune, but Chrome doesn't.
Raff has put up a proof-of-concept demo showcasing the vulnerability. The demo causes Firefox to display a prompt asking the user to download a Java JAR file, but in Chrome, the file downloads automatically to the user's desktop. With a little social engineering (a red arrow pointing to the file in Chrome's download toolbar), users could unknowingly execute the Java app. The app is a simple text editor in Raff's case, but malicious coders could easily use the flaw to plant malware on users' systems.
Interestingly, ZDNet says the vulnerability can also lead to a "combo attack" through an unpatched Internet Explorer flaw. Raff discussed that combo attack in relation with Safari back in late May, although he apparently hasn't released details yet.
|1. BIF - $340||2. Ryu Connor - $250||3. mbutrovich - $250|
|4. YetAnotherGeek2 - $200||5. End User - $150||6. Captain Ned - $100|
|7. Anonymous Gerbil - $100||8. Bill Door - $100||9. ericfulmer - $100|
|10. dkanter - $100|
|AMD drops prices on the Radeon RX 460 and RX 470||42|
|Reports: Radeon RX 470D is a budget Polaris card for China||9|
|Examining reports of slow write speeds on the 32GB iPhone 7||29|
|Cellular Insights dissects iPhone 7 Plus modem performance||11|
|Deals of the week: scads of high-performance storage and more||9|
|Tobii's Eye Tracker 4C knows where your head is||4|
|GeForce driver 375.57 is prepared for Titanfall 2||8|
|Phanteks Eclipse P400 gets a tempered glass option||0|
|Radeon 16.10.2 drivers add support for October's big games||10|
|A real "console monitor" would be 720p @ 30 Hz ;P||+63|