Google Chrome强制下载“f.txt”文件 [英] Google Chrome forcing download of "f.txt" file

问题描述

在更新到Chrome 40.0.2214.111后，当我访问特定的Google相关网站（例如 http://youtube.com ）并获得浏览器下载一个名为 f.txt 的文件。

我没有任何安装了adblock插件。

f.txt 包含几行JavaScript ......以......开头：

  if（！window.mraid）{document.write（'\x3cdiv class =GoogleActiveViewClass'+'id =DfaVisibilityIdentifier_3851468350\x3e' ）;}文件撰写（'\x3ca target\x3d\x22_blank\x22 href\x3d\x22https：//adclick.g.doubleclick.net/pcs/click xai\x3dAKAOjsvDhmmoi2r124JkMyiBGALWfUlTX-zFA1gEdFeZDgdS3JKiEDPl3iIYGtj9Tv2yTJtASqD6S- yqbuNQH5u6fXm4rThyCZ0plv9SXM-UPKJgH4KSS08c97Eim4i45ewgN9OoG3E_ 
  

在Google上查找问题时，其他人也经历过相同的问题，但我没有发现任何解决方案或理解为什么发生这种情况我认为这是一个内容处置与页面上加载的一些JS文件相关的错误，并将清除未来的补丁。

想知道其他人是否有经验/洞察力。

解决方案

Ť他的问题似乎引起了持续的恐慌，所以我会尝试给出比先前发布的答案更清楚的答案，这些答案仅包含关于正在发生的情况的部分提示。

• 2014年夏天的某个时候，IT安全工程师Michele Spagnuolo（显然在谷歌苏黎世雇用）开发了一个概念验证漏洞利用和支持工具，名为 Rosetta Flash 演示了一种让黑客从远程域运行恶意Flash SWF文件的方式，它使浏览器认为它来自用户当前浏览的同一个域。这允许绕过同源策略，并允许黑客进行各种攻击。您可以在这里阅读详细信息： https://miki.it/blog/ 2014/7/8 / abusing-jsonp-with-rosetta-flash /
  
  
  
  
  • 已知受影响的浏览器：Chrome，IE
  
  
  • 可能未受影响的浏览器：Firefox
  
  


• Adob​​e在过去一年中发布了至少5个不同的修复程序，修复此漏洞，但各个主要网站也在早些时候推出了自己的修复程序，以防止对其用户群发生大规模漏洞。在这些网站中，有Google，Youtube，Facebook，Github和其他网站。这些网站所有者实施的临时缓解措施的一个组成部分是强制HTTP头 Content-Disposition：附件; filename = f.txt 来自JSONP端点的回报。这让浏览器自动下载一个名为 f.txt 的文件是你没有请求的烦恼 - 但它远远好于浏览器自动运行可能的恶意软件Flash文件。 总而言之，当这个文件自发下载时，您访问的网站并不坏或恶意，但其网页上的某些域名服务内容（通常是广告）在里面。请注意，这个问题本质上是随机的和间歇性的，因为即使连续访问相同的页面也会产生不同的广告内容。例如，广告域 ad.doubleclick.net 可能会投放数十万个不同的广告，并且只有很小一部分可能包含恶意内容。这就是为什么不同的用户在线困惑，他们认为他们解决了这个问题，或者通过卸载这个程序或者运行这个扫描来影响它，但实际上它们都是不相关的。 f.txt 下载只是意味着您可以通过此漏洞获得最新的潜在攻击保护，而且您应该没有理由相信您以任何方式受到攻击。


• 我知道你可以在将来再次下载这个 f.txt 文件的唯一方法是阻止最常见的似乎正在为此漏洞提供服务的域名。我在下面列出了一些涉及各种职位的部分。如果您想阻止这些域名与您的计算机相连，您可以将它们添加到防火墙中，或者您可以使用本链接第二部分中描述的 HOSTS 文件技术： http://www.chromefans.org/chrome-教程/ how-to-block-a-website-in-google-chrome.htm


• 您可以阻止的域名列表（绝不是全面的列表）。其中大部分与广告软件和恶意软件密切相关：
  
  
  
  
  • ad.doubleclick.net
  
  
  • adclick.g.doubleclick.net
  
  
  • secure-us.imrworldwide .com
  
  
  • d.turn.com
  
  
  • ad.turn.com
  
  
  • secure.insightexpressai.com
  
  
  • core.insightexpressai.com
  
  

After updating to Chrome 40.0.2214.111, variably when I visit certain Google related sites (like http://youtube.com and get presented with an ad before the video), the browser downloads a file named f.txt.

I do not have any adblock plugins installed.

f.txt contains a few lines of JavaScript...starting with:

if (!window.mraid) {document.write('\x3cdiv class="GoogleActiveViewClass" ' +'id="DfaVisibilityIdentifier_3851468350"\x3e');}document.write('\x3ca target\x3d\x22_blank\x22 href\x3d\x22https://adclick.g.doubleclick.net/pcs/click?xai\x3dAKAOjsvDhmmoi2r124JkMyiBGALWfUlTX-zFA1gEdFeZDgdS3JKiEDPl3iIYGtj9Tv2yTJtASqD6S-yqbuNQH5u6fXm4rThyCZ0plv9SXM-UPKJgH4KSS08c97Eim4i45ewgN9OoG3E_ 

In looking up the issue on Google, others have experienced the same, but I have not found any resolution or understanding of why this is happening. I assume it is a content-disposition related bug with some of the JS files loaded on the page, and will clear up in a future patch.

Wondering if anybody else had experienced / insight.

解决方案

This issue appears to be causing ongoing consternation, so I will attempt to give a clearer answer than the previously posted answers, which only contain partial hints as to what's happening.

• Some time around the summer of 2014, IT Security Engineer Michele Spagnuolo (apparently employed at Google Zurich) developed a proof-of-concept exploit and supporting tool called Rosetta Flash that demonstrated a way for hackers to run malicious Flash SWF files from a remote domain in a manner which tricks browsers into thinking it came from the same domain the user was currently browsing. This allows bypassing of the "same-origin policy" and can permit hackers a variety of exploits. You can read the details here: https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
  • Known affected browsers: Chrome, IE
  • Possibly unaffected browsers: Firefox
• Adobe has released at least 5 different fixes over the past year while trying to comprehensively fix this vulnerability, but various major websites also introduced their own fixes earlier on in order to prevent mass vulnerability to their userbases. Among the sites to do so: Google, Youtube, Facebook, Github, and others. One component of the ad-hoc mitigation implemented by these website owners was to force the HTTP Header Content-Disposition: attachment; filename=f.txt on the returns from JSONP endpoints. This has the annoyance of causing the browser to automatically download a file called f.txt that you didn't request—but it is far better than your browser automatically running a possibly malicious Flash file.
• In conclusion, the websites you were visiting when this file spontaneously downloaded are not bad or malicious, but some domain serving content on their pages (usually ads) had content with this exploit inside it. Note that this issue will be random and intermittent in nature because even visiting the same pages consecutively will often produce different ad content. For example, the advertisement domain ad.doubleclick.net probably serves out hundreds of thousands of different ads and only a small percentage likely contain malicious content. This is why various users online are confused thinking they fixed the issue or somehow affected it by uninstalling this program or running that scan, when in fact it is all unrelated. The f.txt download just means you were protected from a recent potential attack with this exploit and you should have no reason to believe you were compromised in any way.
• The only way I'm aware that you could stop this f.txt file from being downloaded again in the future would be to block the most common domains that appear to be serving this exploit. I've put a short list below of some of the ones implicated in various posts. If you wanted to block these domains from touching your computer, you could add them to your firewall or alternatively you could use the HOSTS file technique described in the second section of this link: http://www.chromefans.org/chrome-tutorial/how-to-block-a-website-in-google-chrome.htm
• Short list of domains you could block (by no means a comprehensive list). Most of these are highly associated with adware and malware:
  • ad.doubleclick.net
  • adclick.g.doubleclick.net
  • secure-us.imrworldwide.com
  • d.turn.com
  • ad.turn.com
  • secure.insightexpressai.com
  • core.insightexpressai.com

这篇关于Google Chrome强制下载“f.txt”文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！