[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

To: <haifei-non-reply@xxxxxxxxxxx>
Subject: Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
Date: Mon, 5 Oct 2015 13:36:26 +0200

"Haifei Li" <haifei-non-reply@xxxxxxxxxxx> wrote:

> This is a copied version of my blog post, original version
> http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html.
> Probably it's commonly known that when you try to download
> something on your modern browser e.g. Google Chrome or
> Microsoft Edge, the file will be downloaded automatically to
> your local system with just a simple clicking - no need for
> additional confirmations. With default settings, the file
> will be downloaded to your "Downloads" folder
> ("C:\Users\<username>\Downloads").
> Personally, I have worried about this feature quite some times,
> now I finally got some time on highlighting this. (Please tell
> me if there's someone already talked about this,

Of course somebody wrote and talked about this already:
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
<http://blog.acrossecurity.com/2012/04/adobe-reader-x-1012-msiexecexe-planting.html>
<http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html>
<https://www.it.uu.se/edu/course/homepage/sakdat/ht05/assignments/pm/programme/DLL_Spoofing_in_Windows.pdf>
<https://cwe.mitre.org/data/definitions/426.html>
<https://cwe.mitre.org/data/definitions/427.html>

> I quickly googled around and wasn't able to find an appropriate
> one, I think it should be known by many ppl).

You can read a little bit more about this weakness and the resulting
vulnerabilities on <http://home.arcor.de/skanthak/sentinel.html>

stay tuned
Stefan

JFTR: <iframe src="url"> is HTML, not JavaScript.

      JavaScript is also not necessary to redirect to the download
      page of some morons who still expect their unsuspecting users
      to download and RUN an *.EXE to install their soft^Wcrapware:
      1. <META HTTP-Equiv="refresh" content="5; URL="..."> exists;
      2. Windows' native package format is *.MSI!

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
  - From: Haifei Li

Prev by Date: [FD] DDos Attack To Drop The Internet
Next by Date: Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability
Previous by thread: Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
Next by thread: Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
Index(es):
- Date
- Thread