Google disputes Chrome malware vulnerability 'bug'

Search giant Google has disputed a security company’s claim that its Chrome browser has a critical vulnerability that may allow attackers to plant malware on a Windows PC. An article on PC World cited Slovenia-based Acros Security as saying Google would not consider the bug as a vulnerability, but just a “strange behavior that [they] should consider changing." The PC World article quoted Acros CEO Mitja Kolsek as saying the problem was one of a string in Windows programs that relies on an attack strategy called “DLL load hijacking," “binary planting" and “file planting." It noted Microsoft has provided 17 security updates in the last 13 months to fix DLL load hijacking problems. Acros said not even Chrome’s sandbox technology does not protect against this DLL load hijacking, although it said a number of factors must be in place for the attack to succeed. These include Chrome being set to use a search engine other than Google, such as Yahoo! or Bing; the user not having visited a secure (https) site; and being duped into trying to load a file and thus have the “Open" dialog box onscreen when the attack initiates. But PC World said a Google developer dismissed the problem, saying the preconditions to exploit this are “too stretched." “We’re not treating this as a security bug [because] the preconditions to exploit this are too stretched ... The implausibility of actual exploitation [means] we want to treat this as ‘strange behavior that we should consider changing’ rather than a vulnerability," it quoted the developer as saying. But while Acros conceded this is hard to dispute, “as security researchers we consider any ‘feature’ that allows silent downloading of remote code and its execution on user’s computer without warnings a vulnerability." It also raised the possibility that social engineering may be used to dupe users into triggering the attack. Acros also recommended that Chrome users set a secure site such as Google’s own Gmail as their home page to prevent such attacks. It said other means of protection include leaving Google as Chrome’s default search engine. — TJD, GMA News