Add font file types to Download Protection
Reported by
resea...@nightwatchcybersecurity.com,
Jun 29 2016
|
||||||||
Issue descriptionAs just blogged by Project Zero, there are ongoing bugs in font files, especially on Windows: https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html It may be a good idea to add the font types to safe downloading, specifically these for Windows: OTF PFB PFM TTC TTF These for Mac OS: DFONT OTF TTF And Linux: AFM PFA TTF The use case would be downloading any of these, and the double clicking on the file to trigger the font preview on the right platform. Some example exploits are available at Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=683 https://bugs.chromium.org/p/project-zero/issues/detail?id=684 Sample files: AFM - https://sourceforge.net/p/itext/book/ci/971972174af407b31c1588a1f38493a0d5d9efb0/tree/resources/fonts/cmr10.afm DFONT - https://github.com/horaextra/community-stuff/tree/master/horaextra OTF - https://github.com/codeforamerica/schoolselection/tree/master/public/fonts PFB - https://github.com/frappe/fonts/tree/master/usr_share_fonts/type1/mathml PFM - https://sourceforge.net/p/itext/book/ci/971972174af407b31c1588a1f38493a0d5d9efb0/tree/resources/fonts/cmr10.pfm TTC - https://github.com/devongovett/pdfkit/tree/master/docs/fonts TTF - https://github.com/google/fonts/tree/master/apache/aclonica
,
Jun 29 2016
Thanks. One more point - on platforms were font preview is enabled, the attack would trigger by merely downloading the file and having it generate the preview without opening.
,
Jun 29 2016
Thanks for the report. Given how widespread the font-rendering code is, I do think we should track these to detect if they start getting used for a malware campaign. That said, it's generally outside Safe Browsing's scope to protect against exploits in file handlers so I'd expect this to not qualify for VRP reward. I tried some of these and noticed that MacOS and Linux can reliably MIME-sniff OTF files, so the file extension is irrelevant. We should think about MIME-sniffing in Chrome. Oh and MacOs renders a preview immediately within the file's icon in the download folder.
,
Jun 29 2016
For MIME type sniffing on Linux, we had filed an earlier bug here: https://bugs.chromium.org/p/chromium/issues/detail?id=596346 Maybe some of the work there can be re-used for Mac OS. Regarding VRP - we would assume that this would be decided by the panel once the bug is fixed?
,
Jun 29 2016
Yes, I agree with all those points.
,
Jun 29 2016
Thanks for reporting this issue. There is no demonstrable exploit in a fully patched system so the issue doesn't qualify under the Download Protection VRP guidelines which requires: "Landing a blacklisted test binary (malware example, UwS example) on disk where a typical user could execute it". Ensuring that the user has a fully patched system is outside of Chrome's security model.
,
Jul 4 2016
OK, let's call this a security feature request. I'd consider it at a P1 feature request; font handlers are indeed a soft target even on fully-updated platforms. But of course nparker et al. can re-prioritize as they see fit.
,
Jul 15 2016
,
Jul 15 2016
(discussed this offline with SB peoplz) For now, we will just use the sampled reports from download-protection to let Safe Browsing monitor the prevalence of (all) font downloads. If one of them spikes up and is deemed malicious, we can add it then. Since the scanning of downloads on the backend requires resources, we prioritize threats that have a higher probability of widespread abuse.
,
Mar 9 2017
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by palmer@chromium.org
, Jun 29 2016Components: UI>Browser>Downloads UI>Browser>SafeBrowsing Services>Safebrowsing>VRP Services>Safebrowsing
Labels: M-53 OS-Linux OS-Mac OS-Windows
Owner: nparker@chromium.org
Status: Assigned (was: Unconfirmed)