Every piece of software on the planet is subject to its share of bugs and flaws at some point in time. It is part of human nature to make mistakes, in this situation it is in the lines of software code. Equally, Internet Explorer, Mozilla and Safari have seen their fair share of interesting ‘features’. It is only expected to see the same thing happen with Chrome, Hence the reason why it is in public Beta stages at this point.
A few hours after the launch of the Chrome public Beta, security researcher Aviv Raff found a hole in the new browser. The new found flaw targets an older version of the WebKit rendering engine. Apple’s latest Safari release uses a newer version of WebKit which is immune from this specific flaw, however Chrome does not.
Aviv Raff has publicized a ‘proof-of-concept’ demonstration showcasing this vulnerability. The demonstration causes Firefox to prompt its users of a Java JAR file download. In Chrome, the file is automatically downloaded without any prompting to the users desktop. Malicious programmers with some good con-artist skills could easily use this vulnerability to trick users in to executing the Java application. The possibilities with what the Java does are endless at this point, just use your imagination.
Raff’s demonstration uses a simple Java based text editing application. You can view the demonstration here.
ZDNet also mentioned that this vulnerability could be used to execute a ‘combo attack’ through an un-patched Internet Explorer flaw (opens in new tab). Raff had already spoke of this flaw in relation to Safari back in the last quarter of May. He has not yet released the details, however.
