Download Protection: ICC files not checked on Windows
Reported by
resea...@nightwatchcybersecurity.com,
Apr 5 2016
|
||||||
Issue descriptionVERSION Chrome Version: 49.0.2623.110 (Official Build) m (32-bit) Operating System: Windows 2012 R2; version 6.3.9600 REPRODUCTION CASE ICC profiles are not checked and are installed silently on Windows. ICC files in the past have carried malicious code. This also affects ICM, CAMP, CDMP and GMMP extensions on Windows, and ICC on Mac. We can try to provide a patch if needed. Past vulnerabilities: https://www.kb.cert.org/vuls/id/980078 https://www.kb.cert.org/vuls/id/720742 Sample file: https://github.com/lovell/sharp/blob/master/icc/sRGB_IEC61966-2-1_black_scaled.icc
,
Apr 6 2016
,
Apr 21 2016
It is outside Chrome's threat model to know what application is registered to handle different filetypes, what version of that application is installed, and whether it is patched.
,
Mar 9 2017
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by nparker@chromium.org
, Apr 6 2016