New issue
Advanced search Search tips

Issue 757479 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Aug 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: executable been initialized from suspicious site

Reported by s...@firsov.net, Aug 21 2017 
VULNERABILITY DETAILS
Yesterday happen a potential breach on livejournal.com from one of author's discussion page. Upon opening the discussion page from author timeline in Chrome browser the PC fan started intense cooling and in few seconds later some kind of executable been trapped by antivirus with "suspicious" message several times in a row. To me it looks like the Chrome browser been compromised and activated or created malware executables. I was not able to close browser in usual way by tab or "X" system menu and need to use Windows 10 task manager to kill the whole process. Than high CPU utilization been gone afterwards. Just in case PC have been rebooted. The source of high CPU use still unknown, antivirus was not able to detect it.

VERSION
Chrome Version:  60.0.3112.101 (Official Build) (64-bit)
Operating System: Windows 10 Enterprise, up to date.

REPRODUCTION CASE
It will require to visit the malicious site which is a security concern.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser frozen, suspicious executable is blocked by antivirus several times.
Crash State: N/A
Client ID (if relevant): [see link above]


PS. the email template has a wrong URL for security-faq.

Comment 1 by elawrence@chromium.org, Aug 21 2017

Labels: Needs-Feedback
Status: WontFix (was: Unconfirmed)
Thanks for the note about the security template; I'll work to have this updated.

Without more details (specifically, the URL on which you reproduced this problem, and/or a network log), the Chrome team will not be able to make progress on this report. 

If you can provide more details, including logs or other information about what your anti-virus program reported, we may be able to reactivate this issue and make progress.

For what it's worth, the most plausible scenario here is that a malicious site undertook an "annoyance" attack (e.g.  Issue 394296 ) which makes it the browser enter a tight loop. They then send an executable file download purporting to be the "fix" for the problem in the hopes that you will choose to run it (compromising your PC). Your AV program recognized the download as malware and blocked it, showing the warning you saw. By not running the executable, you remained protected.

Comment 2 by s...@firsov.net, Aug 21 2017 

It does not seem like   Issue 394296  - where no download happen. In this case the executable been run from browser without user prompt.

There is a Snippet  from history right before crash:
9:28 PM http://artemdragunov.livejournal.com/5025587.html#/comments
9:28 PM http://artemdragunov.livejournal.com/5025587.html#%2Fcomments
9:28 PM http://artemdragunov.livejournal.com/5025587.html#comments
9:27 PM http://artemdragunov.livejournal.com/

I am working with Cylance antivirus team to obtain the log. At the moment c:\windows\system32\werfault.exe is shown as blocked by CylancePROTECT antivirus.

Comment 3 by s...@firsov.net, Aug 21 2017 

Not sure will it be helpful, from Microsoft site: "Werfault.exe" is used for Windows Error Reporting. It is a feature that allows Microsoft to track and address errors relating to the operating system, Windows features, and applications. It gives you the option to send data about errors to Microsoft and to receive information about solutions."

In this case Werfault.exe was not downloaded but is a part of windows installation and meant to troubleshoot the frozen program. Most likely antivirus is not aware of such OS behavior.

The issue seems to be a duplicate of   Issue 394296
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 28 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment