New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug



Sign in to add a comment
link

Issue 671382: Download protection: NFO files

Reported by ya...@nightwatchcybersecurity.com, Dec 5 2016

Issue description

VERSION
Chrome Version: 55.0.2883.75m stable
Operating System: Windows 7 Enterprise, Service Pack 1

REPRODUCTION CASE
1. Try the following file - download:
https://theowl.xyz/cr/nfo/test1.nfo
2. Double click to start MSInfo.

The counter will not increment - we are also attaching a test file WITHOUT a payload

NFO files have an XXE vulnerability as discussed here:
http://seclists.org/bugtraq/2016/Dec/2
 
test1.nfo
39 bytes Download

Comment 1 by ya...@nightwatchcybersecurity.com, Dec 5 2016

We can provide a patch

Comment 2 by ajha@chromium.org, Dec 6 2016

Labels: M-55 OS-Windows

Comment 3 by pbomm...@chromium.org, Dec 6 2016

Cc: nparker@chromium.org pbomm...@chromium.org
cc'ing  nparker@ for more insights on the bug

Comment 4 by nparker@chromium.org, Dec 6 2016

Thanks for the report.

In general, the Safe Browsing VRP reward doesn't apply for exploits in external handlers. We're also no longer rewarding for new file types that can be easily added to download_file_types.asciipb.  ref:

https://www.google.com/about/appsecurity/chrome-rewards/
"The extension of the binary file must be one of those that Chrome already tracks. This list can be found here: download_file_types.asciipb"

Comment 5 by nparker@chromium.org, Dec 6 2016

Owner: nparker@chromium.org

Comment 6 by pbomm...@chromium.org, Dec 7 2016

Labels: prestable-55.0.2883.75

Comment 7 by ranjitkan@chromium.org, Dec 12 2016

Status: Untriaged (was: Unconfirmed)

Comment 8 by nparker@chromium.org, Dec 16 2016

Status: WontFix (was: Untriaged)

Comment 9 by vakh@chromium.org, Mar 10 2017

Labels: -Restrict-View-Google Restrict-View-SecurityTeam
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.

Comment 10 by sheriffbot@chromium.org, Mar 25 2017

Project Member
Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment