| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <C2F4F95928E94D30AF2DB7DB476C6E62@W340>
Date: Mon, 5 Oct 2015 13:36:26 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <haifei-non-reply@...look.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Watch your Downloads: the risk of the "auto-download"
feature on Microsoft Edge and Google Chrome
"Haifei Li" <haifei-non-reply@...look.com> wrote:
> This is a copied version of my blog post, original version
> http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html.
> Probably it's commonly known that when you try to download
> something on your modern browser e.g. Google Chrome or
> Microsoft Edge, the file will be downloaded automatically to
> your local system with just a simple clicking - no need for
> additional confirmations. With default settings, the file
> will be downloaded to your "Downloads" folder
> ("C:\Users\<username>\Downloads").
> Personally, I have worried about this feature quite some times,
> now I finally got some time on highlighting this. (Please tell
> me if there's someone already talked about this,
Of course somebody wrote and talked about this already:
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
<http://blog.acrossecurity.com/2012/04/adobe-reader-x-1012-msiexecexe-planting.html>
<http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html>
<https://www.it.uu.se/edu/course/homepage/sakdat/ht05/assignments/pm/programme/DLL_Spoofing_in_Windows.pdf>
<https://cwe.mitre.org/data/definitions/426.html>
<https://cwe.mitre.org/data/definitions/427.html>
> I quickly googled around and wasn't able to find an appropriate
> one, I think it should be known by many ppl).
You can read a little bit more about this weakness and the resulting
vulnerabilities on <http://home.arcor.de/skanthak/sentinel.html>
stay tuned
Stefan
JFTR: <iframe src="url"> is HTML, not JavaScript.
JavaScript is also not necessary to redirect to the download
page of some morons who still expect their unsuspecting users
to download and RUN an *.EXE to install their soft^Wcrapware:
1. <META HTTP-Equiv="refresh" content="5; URL="..."> exists;
2. Windows' native package format is *.MSI!
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists