RE: Google Chrome Automatic File Download

["James C. Slora Jr." <james.slora () phra com>]

Razi Shaban wrote Wednesday, September 03, 2008 2:04 PM

> There's a huge difference between downloading and running. 
> If a file that is unwanted is auto-downloaded, just delete it.
> No harm done.

Unapproved download does open exploit vectors against other
vulnerabilities, especially when the download is to a location the
attacker can predict.

Merely opening a folder in a GUI triggers exploitable actions such as
icon display. Desktop.ini in Windows triggers actions when its
containing folder is opened. Selecting a file to delete it can trigger
other exploitable actions. Anti-virus scans and other automatic
processes can be exploited by the download or even the mere presence of
some hostile files.

There is plenty of actual malware in the wild that only needs you to
touch the file or scan it with AV or list it in the GUI to be owned,
depending on companion vulnerabilities.

Some vulnerability exploits are mitigated by their need to access a
local file from a known location. Automatic file downloading to a
predictable location eliminates that mitigation.

So users should always be prompted when content is copied to any
location other than their browser cache, and higher-risk file types
should not even go to the cache without giving the user a fighting
chance to refuse the file.