Download protection: NFO files
Reported by
ya...@nightwatchcybersecurity.com,
Dec 5 2016
|
|||||||||||||
Issue descriptionVERSION Chrome Version: 55.0.2883.75m stable Operating System: Windows 7 Enterprise, Service Pack 1 REPRODUCTION CASE 1. Try the following file - download: https://theowl.xyz/cr/nfo/test1.nfo 2. Double click to start MSInfo. The counter will not increment - we are also attaching a test file WITHOUT a payload NFO files have an XXE vulnerability as discussed here: http://seclists.org/bugtraq/2016/Dec/2
,
Dec 6 2016
,
Dec 6 2016
cc'ing nparker@ for more insights on the bug
,
Dec 6 2016
Thanks for the report. In general, the Safe Browsing VRP reward doesn't apply for exploits in external handlers. We're also no longer rewarding for new file types that can be easily added to download_file_types.asciipb. ref: https://www.google.com/about/appsecurity/chrome-rewards/ "The extension of the binary file must be one of those that Chrome already tracks. This list can be found here: download_file_types.asciipb"
,
Dec 6 2016
,
Dec 7 2016
,
Dec 12 2016
,
Dec 16 2016
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by ya...@nightwatchcybersecurity.com
, Dec 5 2016