A recently discovered vulnerability in the Chrome Browser on Windows could allow an attacker to capture user credentials and lead to additional levels of compromise.
The vulnerability clearly demonstrates the value of an isolation based approach to security. If the browser is running in a hardened, minimized, and separated environment, then the attacker can’t get access to the user’s credentials, which only exist outside the isolated environment.
Further, the vulnerability depends on the browser automatically downloading a dangerous file without the user’s involvement. An isolated browser has the ability to require user intervention before any file can make it to the computer’s real file system.
How to Protect Yourself
If you use Google Chrome on Microsoft Windows you have a couple of options to protect yourself from this vulnerability. First, you can switch to a different browser. Firefox and Internet Explorer are not vulnerable to this bug. You can also stop the automated downloads by changing your settings in Chrome. Under Settings, select “Show advanced settings” then check the box “Ask where to save each file.” With that setting checked you will be asked to manually specify where to save any download. That gives you the ability to reject any files you did not want or don’t recognize.
Of course, the Passages isolated browser would not have been vulnerable in the first place since this particular attack only works against Chrome on Windows, while Passages runs Firefox on a custom Linux. Nevertheless, even if the attack was effective on our browser and OS, it still would not have been able to reach the desktop, grab credentials, or do other damage.