Tumblr 101: Tips And Tricks To Get Started
Facebook Plunges Again
Chrome Frame presents a golden opportunity for malware authors
There's been plenty of talk this week about Google Chrome Frame, which bolts Chrome's shininess onto the Internet Explorer 8 undercarriage. Google says, "it's all about bringing a better, more standards-forward browsing experience to users."
Microsoft says "hey, that thing just give malware more attach points and makes our browser less secure" -- which cause a lot of chuckling around the blogosphere. After all, Chrome is a pretty secure browser and was the only one not to fall at Pwn2Own this year.
However, as Sophos Labs' Mike Wood points out, there's one big, nasty side effect that hasn't been talked about: social engineering malware.
Attacks offering fake AV codecs are still commonplace. Recently a fake Flash plugin for Firefox was spotted -- and we've all seen the numerous fake antivirus apps for Windows floating around out there.
So how long will it be before someone decides to inject a bogus "you need Google Chrome Frame" popup on some compromised website? There was a time when attacks like this were mostly limited to porn and warez sites, but nowadays it could even occur on a legitimate one like the New York Times.
No, it won't be long before this happens and people start being duped into a malicious install. And when the proverbial sh*t hits the fan, scores of users and technicians who don't know better are gong to blame IE8 for not being secure enough and recommend a browser switch.
Whether or not Google planned it that way (I'm going to go with not), this could turn Chrome Frame into a much bigger kick in the nuts for Internet Explorer than first thought.
Microsoft says "hey, that thing just give malware more attach points and makes our browser less secure" -- which cause a lot of chuckling around the blogosphere. After all, Chrome is a pretty secure browser and was the only one not to fall at Pwn2Own this year.
However, as Sophos Labs' Mike Wood points out, there's one big, nasty side effect that hasn't been talked about: social engineering malware.
Attacks offering fake AV codecs are still commonplace. Recently a fake Flash plugin for Firefox was spotted -- and we've all seen the numerous fake antivirus apps for Windows floating around out there.
So how long will it be before someone decides to inject a bogus "you need Google Chrome Frame" popup on some compromised website? There was a time when attacks like this were mostly limited to porn and warez sites, but nowadays it could even occur on a legitimate one like the New York Times.
No, it won't be long before this happens and people start being duped into a malicious install. And when the proverbial sh*t hits the fan, scores of users and technicians who don't know better are gong to blame IE8 for not being secure enough and recommend a browser switch.
Whether or not Google planned it that way (I'm going to go with not), this could turn Chrome Frame into a much bigger kick in the nuts for Internet Explorer than first thought.
Comments
11
Subscribe to commentssjones411Sep 26th 2009 3:00PM
I'm not sure if I follow your logic. Is the Google Chrome Frame now suddenly a security flaw because it gives malware authors another buzzword to use? That's a pretty weak argument for why Google Chrome Frame is a bad thing...
Adam MarasSep 27th 2009 3:56PM
Lee's logic is both simple and solid; it goes back to the days of email phishing scams. As Google (and potentially other websites) begin to implement Chrome Frame, users will get used to the user experience provided by said sites. Just like you're used to the style and layout of your banking statements or PayPal notifications, users will become used to the page that directs users to the Chrome Frame installer. This will give malware authors an edge; if they can make a page that looks sufficiently like the Chrome Frame installer, they can easily direct users to install malicious ActiveX controls or plugins on their computers.
Lee MathewsSep 26th 2009 3:00PM
I'm not calling this problem a flaw - just a natural (and unfortunate) progression. Malware authors are extremely opportunistic, and this affords them a fantastic opportunity to try out a new deception.
aaronSep 26th 2009 4:31PM
I agree with sjones411. Weak logic.
Is Flash a kick to Firefox's nuts?
If you say no, how can Chrome Frame be to IE8? At least there actually IS reported malware using flash as as a disguise...
Adam MarasSep 27th 2009 3:57PM
Yes, there's reported malware that disguises itself as Flash; that's because Flash is a popular product. As Chrome Frame becomes more mainstream, its branding will have the potential to be exploited just like Flash's branding has been.
SilverWaveSep 26th 2009 8:20PM
That's a pretty worrying title which does not seem to be supported by any actual facts...
>Chrome Frame presents a golden opportunity for malware authors
Did your friends at MS suggest it?
Have you asked Google to respond?
Just saying.
Adam MarasSep 27th 2009 3:59PM
Fact: popular products and frameworks that require web installation sometimes have their branding copied and used in the context of malware installers.
Fact: Chrome Frame has the same potential as any other popular web plug-in to become popular.
Conclusion: Chrome Frame's branding has the potential to be exploited for malicious use.
Logical?
SilverWaveSep 27th 2009 4:16PM
So your argument is that its OK to use scary worded titles to blacken Google's reputation. Based not on any security issue, but rather on the, potential, hypothetical, danger of some social engineering attack?
Do you by any chance have any association with MS?
I just ask as your brand of logic looks very close to theirs.
acmeSep 27th 2009 12:24AM
most users dont know wtf google chrome even is, let alone its framework. this won't be happening any time soon.
whiskeySep 28th 2009 4:04AM
Listen, if it looks legit and it's deemed necessary for somebody to "get their warez on" it will be a security risk... That's not to say it will be Google's fault either because they can ask you to install stuff on your computer if you want to properly address their services.
The problem, as usual, lies between the chair and the monitor, error code ID107. The solution is rather simple: If you have IE you should deplot this to avoid the confusion and tell ALL your users that it's already installed and to contact support immediately whenever they are asked for it to know better how to deal with it as a threat.
Educate a user and he/she will be less self-destruction-prone.
RompelotasSep 29th 2009 8:13AM
Ahhh, ok, I get it. That's some kind of Chewbacca defense, isn't it?