Chrome Update Repairs Microsoft Alert

Tuesday, October 4, 2011 @ 12:10 PM gHale

A new version of Google Chrome is now available that will stop Microsoft Security Essentials (MSE) virus scanner from incorrectly classifying the browser as part of the banking Trojan PWS:Win32/Zbot (Zeus).

A bad patch for Microsoft Security Essentials, Microsoft Forefront and Microsoft Defender meant the scanners were identifying chrome.exe as malware and proposing to delete the browser.

Data Theft: Chrome Vulnerable
Firefox Patches 11 Security Bugs
Browsers Buttress for BEAST Battle
BEAST on Loose; Google gets Ready

Late last week Microsoft released an unscheduled signature update to halt the false detection.

The Chrome update should assist those affected by MSE’s incorrect detection and deletion by repairing the installed versions of Chrome. Manual repair instructions are also available if needed.

Chrome has had a tough run of late as when experts tested the browser’s extensions, 27 of a 100 were vulnerable to extraction attacks through specially crafted malicious websites or by attackers on public WiFi networks.

A trio of security researchers manually analyzed 50 of the most popular Chrome extensions and added to that list 50 more chosen by random.

“We looked for JavaScript injection vulnerabilities in the cores of the extensions (the background, popup, and options pages); script injection into a core allows the complete takeover of an extension,” said Adrienne Porter Felt, one of the researchers. To prove their claim, they performed PoC attacks devised to take advantage of the vulnerabilities.

The bad news is over 25 percent of the tested extensions were vulnerable, and over 300,000 use those extensions.

There is good news: You can patch 49 of the 51 vulnerabilities found by adapting the extensions to use one of two offered Content Security Policies (CSP).

These Policies prevent a successful injection of malicious JavaScript code in various ways: by banning the use of the eval function so untrusted data doesn’t get executed as code; by moving legitimate JavaScript to a .js file so when malicious scripts inject in they immediately differentiate from the legitimate ones and they are visible for what they are; and by completely or partially disallowing external scripts altogether.

“In addition to core extension bugs, extensions can add vulnerabilities to web sites,” said Porter Felt. “CSP will not prevent this, but developers should remember not to use innerHTML to modify web sites. Instead, use innerText or DOM methods like appendChild. Extensions also shouldn’t add HTTP scripts or CSS to HTTPS web sites.”

Leave a Reply

You must be logged in to post a comment.