Chrome Users on Fedora Exposed to Drive-By Download Attacks

[Batu69]

 

A combination of poor design choices and insecure software exposes Chrome users on Fedora desktop to drive-by downloads, security researcher Chris Evans has revealed.

 

Despite being considered the most secure desktop browser to date, Chrome isn't perfect. One of the things that most security experts and users complain about is Chrome's auto-download behavior, which manifests by default unless a user has checked an option in the browser's settings that reads "Ask where to save each file before downloading."

 

But this behavior is universal, not just on Fedora desktops. The problem with Fedora is how the OS handles these newly downloaded files.

Drive-by downloads are very effective on Fedora desktops

Once a file is saved on the user's computer, Fedora's Tracker application will index automatically index it. The problem here, as Evans explains, is that Tracker isn't sandboxed, meaning any attack on Tracker can very easily spread to the underlying OS.

 

Furthermore, Tracker works with Fedora's Gstreamer framework, the application responsible for generating thumbnails and previews for files in Fedora's desktop environment. Evans says that Gstreamer has "questionable implementation quality from a security perspective."

 

The researcher has put together a proof-of-concept attack in which a user who accessed a malicious website is force-fed a malformed file.

When the file reaches the user's desktop and is parsed by Tracker and Gstreamer, malicious code contained within can execute via the non-sandboxed Tracker app.

Chrome on Fedora drive-by download attack

This type of automated attack chain is known as a drive-by download and has been used for all sorts of nefarious actions from mundane malware distribution to targeted attacks in cyber-espionage operations.

Two zero-days in Gstreamer help the attacks

Evans says that even if ASLR is enabled in Fedora, there are various ways in which the attacker can leverage this combination of Chrome auto-downloads and Tracker & Gstreamer flaws.

 

In order to demo his attack, the researcher has even put discovered and used two zero-days in the Gstreamer framework. Evans has not responded to a Bleeping Computer inquiry regarding the status of the two zero-days he says he discovered in Gstreamer.

 

Speaking to a Linux expert and Fedora user who asked for anonimity, Bleeping Computer was told the following.

"The article is generally right; sadly. Tracker should use better sandboxing. The author makes some claims that are difficult to agree with [...]. But the article is mostly spot-on."

 

Article source

 

[steven36]

Google's problem  not possible  in Firefox unless you allow it to happen .

Quote

 

Firefox’s solution as demonstrably superior: the user has to accept any random attacker supplied bytes before they are dumped to disk in a well known and indexable location, with an attacker supplied filename and extension.

 

This could be a default behavior to re-align with other browsers, to avoid known security headaches, and probably some as-yet-undiscovered ones too.

 

Absent action from the Chrome developers, there is fortunately a setting that can be used in environments where security is a concern: chrome://settings -> Show advanced settings -> Downloads -> Ask where to save each file before downloading.

 

 

 

 

 

 

i never  used  Fedora i'ts made by Red Hat  it's for people who like Red Hat with bugs. 

 

Quote

Fedora is a free distribution and community project and upstream for Red Hat Enterprise Linux

 

Quote

 

reggin

Every Fedora upgrade introduces more problems than it solves which makes you wonder if this is any different from Windows. The new features are usually not even worthy of a blog post and an upgrade never goes smoothly. So why bother? Well each time I install a new version, I swear that I will skip the next upgrade but after six months of using a buggy OS, you get tired of it and want to get those problems fixed the new version will usually do that but introduce a new set of problems.

 

 

Besides on Linux  i use uget chrome wrapper  so i dont have this problem  its going ask me do i want download the file in uget i would just tell it no . also if you use slimjet builtin  turbo download manger instead  of chrome default you could avoid this .. this is a problem were chrome is downloading files without you're permission .because they dont have the setting on by default  you can turn  it on  to ask . its like flash  in chrome  you can turn flash off its just hidden were you turn it off.

 

i seen sites using windows before were a attacker  injects  malware into a website it try to download the exe in Firefox or IDM  you  told it  no if you know what you're doing but NOD32 was stopping it in its tracks.