Google's latest update to its Chrome browser re-enables the 'Download Bomb' vulnerability. Version 67 removes the fix applied by Version 65 in March 2018. So what does that actually mean and what can you do about it?
What is a Download Bomb?
A Download Bomb is a nasty trick that causes your browser to initiate hundreds of downloads at once and eventually freeze up. It has previously been used to trap victims on a certain page by scammers who offer a phone number they can call to unlock their browser.
Malwarebytes in late 2017 discovered this technique was being used by scammers masquerading as tech support. Google then patched the vulnerability in Chrome version 65.0.3325.70.
Why is this a problem again?
The fix that was applied in Chrome version 65 has been removed in version 67, meaning updated browsers are once again vulnerable to this flaw.
Which browsers are affected by the Download Bomb threat?
Not just Chrome actually, also Firefox, Vilvadi, Opera and Brave, according to tests conducted by Bleeping Computer.
How can I protect my computer from Download Bomb attacks?
Use an ad blocker
Malwarebytes claims that most of these Download Bomb type of threats are distributed via malicious advertising, and as such the use of an ad blocker can help avoid such attacks. You can download AdBlock for free from the Chrome app store, but please remember to whitelist sites you trust that rely on funding through legitimate adverts.
Use Microsoft Edge
In Bleeping Computer's testing it noted that Microsoft Edge and Internet Explorer were not affected by this specific vulnerability.
Try the Task Manager
If you've already stumbled across a Download Bomb, on Windows you can bring up the Task Manager by hitting Ctrl + Alt + Del and selecting that option. Use this to force-quit any browser processes.
This isn't something we particularly advise, given that each new version applies patches to other flaws, but you can downgrade Chrome by uninstalling it and reinstalling a version somewhere between 65.0.3325.70 when the vulnerability was fixed and 67.0.3396.87 when it was broken. Remove your current version via Add/Remove Programs, then download previous Chrome installation files here.
Install some security software
This threat is simply the latest in a long line, so it pays to always make sure you have a decent antivirus product installed on your machine. Be sure to keep it up to date and run regular scans.