VULNERABILITY DETAILS
It is possible to inject _arbitrary_ javascript into Chrome via an extension
that is signed by Google.

Right now malware is installing an old AdBlock extension (ver 409) into Chrome.

It drops these files:

Extensions\gighmmpiobklfepjocnamgkkbiglidom\449_0\_metadata\computed_hashes.json
Extensions\gighmmpiobklfepjocnamgkkbiglidom\449_0\_metadata\verified_contents.json
Extensions\gighmmpiobklfepjocnamgkkbiglidom\449_0\icon128.png
Extensions\gighmmpiobklfepjocnamgkkbiglidom\449_0\manifest.json
Extensions\gighmmpiobklfepjocnamgkkbiglidom\449_0\contentscript.js <- malicious script that gets loaded by Chrome

and modifies the 'Secure Preferences' file.


Then the extension gets loaded by Chrome without any security warnings.


I have attached all relevant files as well as a screenshot from Chrome.


The severity is probably low because by the time this happens the system is already infeceted with malware.


I would like to write a blogpost about it at blog.avast.com. So if you don't think that this is worth fixing, tell me as soon as possible.
On the other hand if you need some time to fix this, I will happily wait with publication of the blogpost.



VERSION
Chrome Version: 64.0.3282.167 (Official Build) (64-bit)
Operating System: Windows 10, 1709, build 16299.248

REPRODUCTION CASE
All the necessary files are attached in exp.7z. The password for the archive is 'infected'.

 

Deleted: exp.7z 79.6 KB

exp.7z 79.6 KB Download