Not long has passed since Google released its new browser solution called Chrome, and security researchers have already announced that it has a serious vulnerability. The vulnerability itself is not new, having been originally reported in Apple's Safari 3.1.1 browser, and patched in the 3.3.2 version. However, since, at its core, Google Chrome makes use of the same Apple WebKit version as Safari 3.1.1, it inherited this vulnerability.

Some time ago, we wrote about the “carpet bomb” vulnerability, originally discovered and reported to Apple by Nitesh Dhanjani. The vulnerability allowed for a website to force the browser to download files without the user's consent. This was possible because Safari did not have an option that would let users be asked before downloading files.

Apple's first thought about this was that it was more of a feature request than a security issue. However, facing pressure from the security industry because of the fact that this flaw, or lack of functionality, could be used in conjunction with vulnerabilities in other applications in order to distribute malware, Apple eventually addressed it.

Noticing that Google Chrome uses the outdated Apple WebKit that allows carpet bombing, security researcher Aviv Raff combined the flaw with a bug in JAVA, to demonstrate how those using Chrome could easily be tricked into downloading and executing malicious code in the form of a Java Archive (JAR) file. Mr. Raff had previously demonstrated the use of this flaw in conjunction with an older IE vulnerability, in order to execute arbitrary code. At the time, this even prompted Microsoft to release an advisory about the Safari issue.

While Apple's initial response to Dhanjani's report was - “We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads,“ Secunia rated the carpet bomb vulnerability as “Highly Critical.” Dhanjani's proof-of-concept example involved serving a file of a gibberish Content-Type through an HTML iframe. Obviously, this forced Safari to download the file, because it did not know how to interpret the unknown Content-Type.

Since Chrome is in the beta stage of development, other security issues are also likely to be discovered.  As this example serves to show, they might not even be native, but rather inherited.