New issue
Advanced search Search tips

Issue 852211 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Jun 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Security: lastest chrome had dll preloading problem

Reported by forrest...@gmail.com, Jun 13 2018 
Hi developer

I tested lastest chrome browser, I find a native dll can to replace in app directory's dll (the other cannot replace)

Hacker maybe can use this problem to attack system or connect to c&c.....

best regards

Comment 1 by wfh@chromium.org, Jun 13 2018

Components: Internals>PlatformIntegration
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Windows Pri-2 Type-Bug
DLL preloading is not considered a security bug, since anyone who already has access to write to Chrome's application folder can do anything they want including but not limited to, just replacing chrome binaries with anything else including malicious ones.

Do you think this is a regression?

Comment 2 by wfh@google.com, Jun 14 2018

Status: WontFix (was: Unconfirmed)
Now I'm windows sheriff also, I'm closing this as WontFix, given our threat model.

Comment 3 by forrest...@gmail.com, Jun 15 2018 

OK   Thanks

Because my app have the same problem  ,  my company's security team tell me
that is a bug,  they want me to fix it.

I told them google chrome、 microsoft lync... have the same problem , but
they didn't trusted to me. I just want to prove it is not a bug.

Because  Google say DLL proloading is not a security bug.

Thanks again.

2018-06-15 3:57 GMT+08:00 w… via monorail <
monorail+v2.543067860@chromium.org>:

Comment 4 by wfh@chromium.org, Jun 15 2018 

DLL preloading onto an application whose directory requires administrator access to write to, is not a bug.

However, if your application was running directly from a writable directory e.g. running directly from the user's download directory (this is typically apps like installers), then it would be a bug.

Sign in to add a comment