New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 601255 link

Starred by 1 user
Status: WontFix
Owner:
vakh@chromium.org
Closed: May 2016
Cc:
ya...@nightwatchcybersecurity.com
vakh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Download Protection: .PREFPANE and other Preference files not checked on Mac OS

Reported by resea...@nightwatchcybersecurity.com, Apr 6 2016 
VERSION
Chrome Version: 49.0.2623.87 Official Build
Operating System: Mac OS X El Capitan, version 10.11.3

REPRODUCTION CASE
PREFPANE files on Mac OS add new Preference panels to System Preferences, similar to CPL files on Windows. Chrome does not check them while CPL files on Windows are checked. This would also be blocked by Gatekeeper, but DMG and APP files are also, and are still being checked. Sample file:

https://github.com/dquimper/Redis.prefPane/blob/master/Redis.prefPane.zip

This is a directly and would need to be carried inside a compressed archive.

This also may affect the following extensions which set to be opened by System Preferences app by default but we haven't tested them:

CONFIGPROFILE
INTERNETCONNECT
MOBILECONFIG
NETWORKCONNECT
PROVISIONPROFILE

Comment 1 by vakh@chromium.org, Apr 22 2016

Labels: reward-ineligible
Thanks for filing this issue.
Downloading the linked file causes the histogram at chrome://histograms/SBClientDownload.CheckDownloadStats to record this download, which makes this issue ineligible for Download Protection VRP.

Please see the FAQ section at https://www.google.com/about/appsecurity/chrome-rewards/index.html for more details on this.

Comment 2 by resea...@nightwatchcybersecurity.com, Apr 22 2016 

We did some more testing and confirm that PREFPANE can only be downloaded inside a compressed file which would trigger the counter.

Comment 3 by vakh@chromium.org, May 6 2016

Labels: SafeBrowsing-Triaged
Owner: vakh@chromium.org

Comment 4 by vakh@chromium.org, May 27 2016

Status: WontFix (was: Unconfirmed)

Comment 5 by infe...@chromium.org, Mar 9 2017

Cc: ya...@nightwatchcybersecurity.com

Comment 6 by vakh@chromium.org, Mar 10 2017

Labels: -Restrict-View-Google Restrict-View-SecurityTeam
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 11 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment