A researcher says he has uncovered a security weakness that can easily trick people into executing malicious code when they use the Microsoft Internet Explorer and Google Chrome browsers to visit booby-trapped websites.
The attack was recently presented at the Hack in the Box security conference by independent security researcher Rosario Valotta. It exploits weaknesses in the way browsers notify users when they execute operating-system-level commands, such as printing or saving. He said the attack works against Windows 7 and Windows 8 users running IE versions 9 and 10 when they enter either one or two characters while visiting a malicious website. Windows 8 machines running Chrome can be forced to execute malicious code when users click on a single HTML button on a malicious page, such as "Play" for a video or a Facebook "Like." Windows provides some protection against this social engineering attack, but Valotta said attackers can often bypass those defenses.
When a user visits the attack website, it opens a pop-under window that in most cases will remain invisible. The hidden window immediately begins downloading a malicious executable file without notifying the user or requiring any kind of permission. When the website is visited using IE, the file can be executed when English-speaking Windows 7 users type "r" and when Windows 8 users enter the tab key followed by the r key. The keystrokes, which can be invoked by asking the visitor to solve a CAPTCHA puzzle used to filter out bots, send a Windows command to the pop-under window instructing it to run the recently downloaded file. Clicking a booby-trapped HTML button while visiting the page in Chrome similarly executes the malicious file.