New issue
Advanced search Search tips

Issue 671382 link

Starred by 1 user

Issue metadata

Status: WontFix
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug

Sign in to add a comment

Download protection: NFO files

Reported by, Dec 5 2016

Issue description

Chrome Version: 55.0.2883.75m stable
Operating System: Windows 7 Enterprise, Service Pack 1

1. Try the following file - download:
2. Double click to start MSInfo.

The counter will not increment - we are also attaching a test file WITHOUT a payload

NFO files have an XXE vulnerability as discussed here:
39 bytes Download
We can provide a patch

Comment 2 by, Dec 6 2016

Labels: M-55 OS-Windows
cc'ing  nparker@ for more insights on the bug
Thanks for the report.

In general, the Safe Browsing VRP reward doesn't apply for exploits in external handlers. We're also no longer rewarding for new file types that can be easily added to download_file_types.asciipb.  ref:
"The extension of the binary file must be one of those that Chrome already tracks. This list can be found here: download_file_types.asciipb"

Labels: prestable-55.0.2883.75
Status: Untriaged (was: Unconfirmed)
Status: WontFix (was: Untriaged)

Comment 9 by, Mar 10 2017

Labels: -Restrict-View-Google Restrict-View-SecurityTeam
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
Project Member

Comment 10 by, Mar 25 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment