A vulnerability in both Microsoft Internet Explorer and Google Chrome browsers can trick you into executing malicious code on your copmuter, says an independent researcher. According to Rosario Valotta, who presented the malicious attack during the Hack in the Box security conference, both browsers have a security weakness that can be exploited when users issue operating-system-level commands, commands include printing or saving.
The researcher also said that Windows 7 and Windows 8 users who are using IE 9 and IE 10 are vulnerable to these attacks. And the attacks happen when they enter one or two characters while browsing through a malicious website. Likewise, users running Chrome browsers on Windows 8 machines are also vulnerable to these attacks. This can happen when they click a single HTML button on a malicious page.
Explaining the attacks further, Valotta said that when you visit an attack website, the website opens up a pop-under window that usually remains invisible. This hidden window silently downloads a malicious executable file without notifying you. The worst part is, it does not even request any permission for downloading and executing the malicious file. If you’re using IE and you’ve visited a malicious website, the attack is executed by mere typing of the character “r” for Windows 7 users and pressing the tab key followed by the character “r” for Windows 8 users. If you’re using Chrome, clicking a button on the malicious site will run the malicious file.
In theory, a malicious attack can any keys/buttons to have the code executed because the issue here is simply pressing a key or clicking a button downloads and executes a malicious file.
If Valotta’s statement got you a bit worried, well Microsoft is not and doesn’t think that the behavior is a vulnerability at all in their browser:
“We are aware of this industry-wide social engineering technique that requires user interaction to run a malicious application,” the statement said. “This is not a vulnerability, as someone must be convinced to visit a malicious site and take additional action, such as using a keyboard shortcut to execute the malicious application. Smart Screen will help mitigate the risk for customers running Internet Explorer. We continue to encourage customers [to] exercise caution when visiting untrusted websites.”
Valotta was quick to react to Microsoft statement saying that Smart Screen protections can be easily bypassed through shortened URLS that still links to malicious executable files. Around 20% of the files passes through the Smart Screen protection feature of IE. Additionally, Smart Screen can still be bypassed through digitally signing malware with an authentic extended validation certificate previously used in an inactive applications. What’s bad about this and hackers know this is that it does not require user approval to run its course.
While Valotta and Microsoft seems to be not agreeing on this issue, it now depends on you whether who are you going to believe in. Internet security has gone a long way since the early days. But as browser technology progresses so does malicious technology which will render browsers vulnerable to all kinds of attacks. At the end of the day, it’s still up to us users, whether we will easily succumb to these threats or not.
[via Ars Technica]