New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: WontFix
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug

Sign in to add a comment

Issue 671382: Download protection: NFO files

Reported by, Dec 5 2016

Issue description

Chrome Version: 55.0.2883.75m stable
Operating System: Windows 7 Enterprise, Service Pack 1

1. Try the following file - download:
2. Double click to start MSInfo.

The counter will not increment - we are also attaching a test file WITHOUT a payload

NFO files have an XXE vulnerability as discussed here:
39 bytes Download

Comment 1 by, Dec 5 2016

We can provide a patch

Comment 2 by, Dec 6 2016

Labels: M-55 OS-Windows

Comment 3 by, Dec 6 2016

cc'ing  nparker@ for more insights on the bug

Comment 4 by, Dec 6 2016

Thanks for the report.

In general, the Safe Browsing VRP reward doesn't apply for exploits in external handlers. We're also no longer rewarding for new file types that can be easily added to download_file_types.asciipb.  ref:
"The extension of the binary file must be one of those that Chrome already tracks. This list can be found here: download_file_types.asciipb"

Comment 5 by, Dec 6 2016


Comment 6 by, Dec 7 2016

Labels: prestable-55.0.2883.75

Comment 7 by, Dec 12 2016

Status: Untriaged (was: Unconfirmed)

Comment 8 by, Dec 16 2016

Status: WontFix (was: Untriaged)

Comment 9 by, Mar 10 2017

Labels: -Restrict-View-Google Restrict-View-SecurityTeam
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.

Comment 10 by, Mar 25 2017

Project Member
Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment