A security researcher has discovered a flaw in the beta version of Google’s Chrome browser that can lead to Windows users downloading malicious Java files.
According to the ZDNET security blog, Israeli security researcher Aviv Raff has released proof-of-concept code that targets a vulnerability in an old version of WebKit being used by the Google browser as well as a Java bug. With a little social engineering, users can be tricked into downloading malware onto Windows desktops.
Ironically, the WebKit flaw this targets was patched already by Apple. Raff has created a demonstration for the flaw that will download a Java Archive file onto a user’s desktop that gets executed without warning. Once the user double-clicks the download at the bottom of the screen, the application is opened.
The demonstration, available here, reportedly opens up a harmless notepad application written in Java.
News of the flaw Sept. 2 came only hours after Google publicly launched the beta for its new browser and stressed security was a main focus. The browser has a number of features designed to protect users, including a private browsing mode known as “Incognito” and the sandboxing of the rendering engine. Google also leverages blacklists to protect users from known rogue sites.