A recent blogpost showed how Chrome, Internet Explorer 9, and Firefox are all vulnerable to a specific bug that can be used to trick the user into downloading a file when they meant to download something else.
flash11_updater.exedownload supposedly served from
adobe.comis, in reality, supplied by the attacker
The bug isn’t really the issue here, though. I mean, it’s definitely useful for social engineering and I can think of a millions ways that I could infect people with this but what I’d like to draw attention to is the response given by the browser vendors.
The response to this has apparently been:
I think that says a lot about browser security. None of them have fixed it and only Chrome has stated they ever plan to, though they’ve given no date. At least Firefox and Chrome gave some discussion.
Think about it this way. If I were to post “Hey guys, update Adobe Flash Player, big security update!” and I linked to the Flash page with the download started I bet a lot of you would install it without a second thought. I’d probably fall for it too if it were linked from a forum I frequent.
This isn’t the biggest security flaw ever, it’s useful for social engineering and there’s definitely potential here but it’s not going to lead to millions of infections (on its own at least.) I just think it’s interesting to see how vendors see ‘low priority’ security flaws.
Check out the proof of concept here. Tell me this wouldn’t fool you if I’d linked to it saying that it was a security update for Flash. Be honest.