Hardening chrome downloads of installers
Reported by
joshjdr...@gmail.com,
Apr 21 2016
|
|||||
Issue descriptionFrom http://seclists.org/oss-sec/2016/q2/126 (point #3)... Putting downloads into a directory of it's own can mitigate "Carpet bombing" style attacks. Please consider implementing this strategy!
,
Apr 21 2016
,
Apr 21 2016
For more color, please also read http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html or see the plethora of Stefan Kanthak's advisories about such DLL planting issues.
,
May 4 2016
This has been suggested and the intention to implement has floated around for a while. The general approach that we've considered is to download .exe files to a temporary directory and then prompt the user whether to run or save the file (i.e. downloads of .exe files would no longer be "automatic"). "Run" launches the .exe off the temporary directory and schedules the temporary directory to be deleted on reboot. "Save" moves the .exe out to the default download directory.
,
May 4 2016
That sounds like a workable UX to me! I assume "save" would also prompt for location if that option was enabled (as I always turn it on).
,
May 5 2017
This issue has been available for more than 365 days, and should be re-evaluated. Please re-triage this issue. The Hotlist-Recharge-Cold label is applied for tracking purposes, and should not be removed after re-triaging the issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 30
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by joshjdr...@gmail.com
, Apr 21 2016