Full Disclosure mailing list archives
Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Mon, 5 Oct 2015 13:36:26 +0200
"Haifei Li" <haifei-non-reply () outlook com> wrote:
This is a copied version of my blog post, original version http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html. Probably it's commonly known that when you try to download something on your modern browser e.g. Google Chrome or Microsoft Edge, the file will be downloaded automatically to your local system with just a simple clicking - no need for additional confirmations. With default settings, the file will be downloaded to your "Downloads" folder ("C:\Users\<username>\Downloads"). Personally, I have worried about this feature quite some times, now I finally got some time on highlighting this. (Please tell me if there's someone already talked about this,
Of course somebody wrote and talked about this already: <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> <http://blog.acrossecurity.com/2012/04/adobe-reader-x-1012-msiexecexe-planting.html> <http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html> <https://www.it.uu.se/edu/course/homepage/sakdat/ht05/assignments/pm/programme/DLL_Spoofing_in_Windows.pdf> <https://cwe.mitre.org/data/definitions/426.html> <https://cwe.mitre.org/data/definitions/427.html>
I quickly googled around and wasn't able to find an appropriate one, I think it should be known by many ppl).
You can read a little bit more about this weakness and the resulting vulnerabilities on <http://home.arcor.de/skanthak/sentinel.html> stay tuned Stefan JFTR: <iframe src="url"> is HTML, not JavaScript. JavaScript is also not necessary to redirect to the download page of some morons who still expect their unsuspecting users to download and RUN an *.EXE to install their soft^Wcrapware: 1. <META HTTP-Equiv="refresh" content="5; URL="..."> exists; 2. Windows' native package format is *.MSI! _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome Haifei Li (Oct 05)
- Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome Lee (Oct 05)
- Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome Stefan Kanthak (Oct 08)
- Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome Lee (Oct 13)
- Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome Stefan Kanthak (Oct 13)
- Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome Curtis Lee Bolin (Oct 13)
- Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome Shawn McMahon (Oct 15)
- Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome Stefan Kanthak (Oct 08)
- Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome Lee (Oct 05)