A new flaw has been discovered in Google Chrome which could allow malicious actors to steal credentials on Windows PCs.
Discovered by DefenseCode security researcher Bosko Stankovic (via ZDNet), the flaw works through a clever trick in the way Chrome and Windows both treat Windows Explorer Shell Command File (SCF) files, which are used as a Show Desktop icon shortcut. The end result is that the SCF file can be used to obtain a users LAN Manager (NTLMv2) password hash.
Stankovic writes:
Once downloaded, the request is triggered the very moment the download directory is opened in Windows File Explorer to view the file, delete it or work with other files (which is pretty much inevitable). There is no need to click or open the downloaded file – Windows File Explorer will automatically try to retrieve the "icon ".The remote SMB server set up by the attacker is ready to capture the victim's username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password.
Speaking with Kaspersky's ThreatPost, Google noted that it is "aware of this and taking the necessary actions."
If you rely on Google Chrome for browsing the web, you can protect yourself by heading to Settings > Show advanced settings and checking the box next to "Ask where to save each file before downloading" under the "Downloads" section. Given that this appears to work on all versions of Windows, even Windows 10, hopefully we see a resolution from Google soon.
