Google Chrome Flaw Could Allow Windows Credential Theft

Topic

New Reply

Following up on last week’s post over on Code Red – Security advisories, scmagazine.com have now published an article on the Google Chrome Flaw discussed in More SMB Blocking Advice, and Set Chrome Browser to ‘Ask Where to Save’:

 
Google Chrome Flaw Could Allow Windows Credential Theft
by Greg Masters, Managing Editor, scmagazine.com

May 17, 2017
“With its default configuration, Chrome browser will automatically download files that it deems safe without prompting the user for a download location but instead using the preset one,” Stankovic wrote. This step, he explained, is not optimal from a security standpoint, but for it to cause any harm a user would still need to manually open and run the (.scf) file.

…

When a number of anti-virus solutions were tested, none captured the downloaded file as suspicious.

To disable automatic downloads in Google Chrome, Stankovic recommended the following preferences be checked: Settings -> Show advanced settings -> Check the Ask where to save each file before downloading option.

“Manually approving each download attempt significantly decreases the risk of NTLMv2 credential theft attacks using SCF files,” he explained.

Google is reportedly looking into the vulnerability.
Read the full article here

Reply | Quote

Replies

I’d like to ask a question which I hope isn’t a stupid question,  because I’m not as technically savvy as most users of this website.   After I read your posting,   I did what you suggested by checking the box “ask where to save each file before downloading”.    But in the past,  I had already told Chrome to download files automatically to a location that is different from the default location,  by entering a location in the box called “download location”.   Now that I’ve followed your instructions,  Chrome is apparently going to ask me where to save the file each time it wants to download something.  So where do I tell it to download the files to?  Can I simply tell it to download the files to the same location where it was already downloading them to anyway (which, as I mentioned,  is a different location from the default location)?

I will appreciate your response.

 

Reply | Quote

@L, that’s a question worth asking!

The concept is that you know that something is being downloaded, rather than it being done silently in the background.

Once asked where to save the file, save your download to any folder you choose. Being asked gives you the option to cancel a download you didn’t request.

2 users thanked author for this post.

L95, satrow

Reply | Quote

Is this flaw found in other browsers?

I don’t have Chrome but use Firefox. In Firefox you can set it to download automatically or always ask. I use auto to the set location. I haven’t had a problem and can keep track because the browser tells me when something is downloading and my virus scanner puts a notification in my browser. I also open up the folder and manually scan the file.

I’ll experiment with “always ask” too.

Reply | Quote

The potential exists for other browsers to download something without your knowledge, but this is highlighting that Chrome deems .scf files as safe, yet they can be malicious.

By setting your browser to ask to save each download, you minimise the risk of downloading something you aren’t expecting. The changed saving method gives you the option to cancel the download.

Don’t forget that some antivirus also deem the files to be safe

Kirsty wrote:

When a number of anti-virus solutions were tested, none captured the downloaded file as suspicious.

Also, check out @gonetoplaid’s tip, to make sure file extensions are not hidden, as another security option.

Reply | Quote

Thanks.

Also, check out @gonetoplaid‘s tip, to make sure file extensions are not hidden, as another security option.

Another good point. I’ve been doing that for years.

Reply | Quote

Unfortunately, Windows will ignore your setting to show extensions with .scf files.  It will be shown as type “File Explorer Command” (Win 8; I would guess “File” will be “Windows” in 7 or prior) with no extension.

I tried creating one with a fictitious remote icon file, and I could not get it to reach out and try it.  Wireshark reported no attempt to communicate, and Sphinx W10FWC didn’t show an access attempt in the log either.

To edit the file, you can use the command line, or else you can load your favorite text editor and navigate to the directory the .scf is in and load it that way.  In Metapad, the file pane showed no files, but typing ‘test’ made the file, test.scf, appear in the dropdown list.  Selecting it opens it for editing just fine.

EDIT: I see what you’re saying about Chrome mishandling it as a safe file when it may not be.  Would Chrome just automatically drop stuff on your hard drive (in the preset download directory) without opening a dialog, though?  If you set Firefox to always use a predetermined directory, it still asks what you want to do with the file (Save to Disk or open it using…)

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Out of an abundance of caution I’ve changed all my browsers download settings. But like it was mentioned in the above post, do we really need to change the ones for Firefox if it at least asks us every time before it downloads a file? Does Firefox really just automatically drop stuff on your hard drive with the “vulnerable” setting without it asking if you want to download a file?

Reply | Quote

anonymous wrote:

Does Firefox really just automatically drop stuff on your hard drive with the “vulnerable” setting without it asking if you want to download a file?

It’s a setting in Firefox that determines that whether it asks you or drops the files in a default folder. Tools\Options on the General tab

Reply | Quote

Does Firefox really just automatically drop stuff on your hard drive with the “vulnerable” setting without it asking if you want to download a file?

By default yes.
See also the other answer.

Reply | Quote

Before I changed my settings I had Firefox ask me before I downloaded a file if I wanted to save it and had selected a specific folder I wanted it to put it in. Is my Firefox still vulnerable with these settings; even if it asks before it downloads, but it still puts the files in my preselected folder?

Reply | Quote

Pre-selecting the folder (default location to save) isn’t a security issue. By being asked where to save, you reserve the right to cancel a download.

Reply | Quote

Kirsty:    Thank you for your reply to my question of May 21, 2017.   After I implemented the instructions in your original posting of May 19, 2017,  I notice that the “prompt” that Chrome gives me is a “Save As” window,  with a file location that Chrome has chosen,  and I have the opportunity to change that location,  and this location that Chrome has chosen always seems to be different from the location where I want the file to be saved,  and so I end up changing the file location.   However,  prior to implementing the instructions in your original posting of May 19th,  Chrome always prompted me with the same “Save As” window,  but the file location that Chrome chose was the location that I had told it to save files to when I had set my settings in Chrome to the “download location” (which was different from the default location),  as described in my posting of May 21, 2017 above.   So therefore,  by following your instructions,  I have to go through this extra step of telling Chrome where to save the file,  whereas in the past,  I didn’t need to go through that step because I had already pre-set the location  for downloads.  So basically, before implementing the instructions in your May 19th posting,   it seems like I was already aware that something was being downloaded,  but now after implementing the instructions, I have to go through an extra step every time something is downloaded,  and I don’t see any difference in my awareness that something is being downloaded (I was apparently aware either way).   If I go back to the way I was before implementing the instructions contained in your May 19th posting,  would I lose some of that awareness?

Reply | Quote

@L In the Advanced Settings, you have the option to select the default location that your files will be saved to, just above the button you click to ask where to save files. You could try changing this to another folder and testing again, to see if you can get the default location to where you would like it.

The point of the advice to set your downloads to Ask Where to Save is that occurs for all downloads, whereas without that setting, anything Chrome deems to be safe, including possibly malicious .scf files, are not seen as a download, so don’t trigger a request for where to save.

Reply | Quote

anonymous wrote:

Before I changed my settings I had Firefox ask me before I downloaded a file if I wanted to save it and had selected a specific folder I wanted it to put it in. Is my Firefox still vulnerable with these settings; even if it asks before it downloads, but it still puts the files in my preselected folder?

Firefox has always asked me first if I want to save or open any given file.  If I select “save,” it will save it to the preselected downloads directory or ask you where to save it, depending on how it is set.  It has never just downloaded a file because the remote end says so; I have to tell it “save” at the first dialog (save, open, or cancel).

It is possible that different settings or addons could change this, but it’s relatively simple to test it (though it would not be with the exact file type in question)… find a file to download and see what it does.  You don’t need to actually download it if the save, open, cancel dialog appears; at that point, you know you can cancel it.

Anyone have a hosting service or know of a direct download link to a .scf file somewhere?

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

One of our friends with better diagnostics then I have may be able to answer:

How much traffic occurs while the dialog box is waiting for an answer? Is it pre-download caching only, or does it include bi-directional credential transfer?

This may be nit-picking with no real effect. But I often observe the process begins without my express approval. It is only asking where I want to put it when it is done.

Blowing smoke, or is there fire?
Paul

Reply | Quote

Same here. Good question.

Reply | Quote

Much depends on the particular browser in use and the way you set it up, prefetching can (usually) be turned off easily or restricted, setting things like 3rd party cookies only from sites visited, add-ons for blocking and preventing scripts/XSS will also limit unwanted traffic.

Reply | Quote

This seems like it has the potential to turn into an enormous problem especially for the average windows user. Especially if this really blows up into some kind of nightmarish malware being rapidly circulated all around like WannaCry was. Most people aren’t even aware something like this is even possible. I hope MS at least attempts to do a something about it with a patch or something and the antivirus companies get busy and try to do something about it to.

Reply | Quote

That may be too strong. A ‘handshake’ between systems is normal for any transfer of data. The point of my scenario, wait. First let me say: this is different than the .sfc exploit discussed on another thread. There, the difficulty is a code previously downloaded and now resident, that is activated either by use of the preview pane, or simply inquiring the contents of a directory. This is outside of my knowledge-base.

Here, #post-117664, I am questioning whether changing this setting to ‘ask me every time’ has any real effect in holding off a mistakenly started, possibly malicious, download. Because the download has already began while the system awaits your response.

To be clear, I have always taken advantage of this setting, just as I disable every preview pane I come across. Because I like to control processes, as a stopgap against scheduling conflicts. I am not convinced it offers any protection from a badly chosen download.

Reply | Quote

Registered, because my point had become complex (and I forgot to sign above, #post-117737). Knew that being registered would simplify a knowledgeable response.

Thanks in advance,
Paul

Reply | Quote