Early security issues tarnish Google's Chrome

Researchers have already found two security problems with Google's new Chrome browser.
Google's new Chrome Web browser plagued with security problems

Google's new Chrome Web browser plagued with security problems

Security researchers have reported finding vulnerabilities in Google's new Web browser a day after it was released in beta.

One vulnerability would allow hackers to crash the browser. Security researcher Rishi Narang described the issue on the SecuriTeam Web site and posted a proof of concept at Evilfingers. According to Narang, a hacker could build a malicious link that includes an undefined handler followed by a certain character. When a user clicks on the link, Chrome crashes.

Another, potentially more serious vulnerability could result in Chrome users downloading malicious code. The problem is due, in part, to the fact that Google uses an older version of WebKit, the open-source browser technology also used in Apple's Safari browser, that includes the vulnerability.

Discovered by researcher Aviv Raff, the problem lies in the way Chrome downloads files and the way Windows handles the downloaded files, he said.

Chrome's default setting downloads files into a folder. It then displays a download bar at the bottom of the browser page. Users click on the bar to open the file. If the file is an executable, Windows displays a warning, which can help users avoid inadvertently downloading malicious code.

If the file is a JAR (Java Archive), however, it isn't treated like other executables, Raff said. When a user clicks on that download bar, instead of displaying a warning, Windows automatically runs the file.

The problem is exacerbated by the way the download bar looks, Raff said. The bar appears to be part of the Web page. In a proof of concept that Raff posted, users might think they're clicking on a link or a button on the page, rather than opening up a downloaded file.

"This is again a sort of a 'blended threat'," he wrote in a blog post. "Two small issues in different products, when blended together, create a much larger problem."

He thinks Google might face other, similar issues in the future because Chrome uses technologies from different browsers, including Apple's Safari and Mozilla's Firefox.

"Security wise, it's very problematic," Raff wrote. "They'll have to track all security vulnerabilities in those features, and fix them in Chrome too. This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported. It will put Chrome users at risk for a long time."

Google did not directly address questions about this vulnerability or whether it plans to make any changes to Chrome to prevent any potential problems. Instead, a Google spokeswoman said in a statement that, by default, Chrome downloads files into a separate folder instead of on the user's desktop as a way to avoid some security problems. In addition, she said that users can set the browser to ask where to save each file before downloading it.

She also did not say whether Google intends to upgrade to the more recent version of WebKit, which addresses the problem by displaying a dialog box for JAR files asking users if they want to download them.

References show all

Comments

1

lloyd_borrett

Fri 05/09/2008 - 11:45

Google consider browser security

It's great that Google have recognised that security needs to be an important consideration with browsers. It's a shame that this beta of Chrome shows that they haven't been thorough enough about it to fix known security problems with the toolkits they've built Chrome on. But it's a beta version and no doubt these issues will be addressed with the release version. (But then again, some Google products seem to remain as beta versions forever!)

It's also great that Google is acknowledging the need to keep ahead of the bad guys and their rapidly evolving ways of using exploits, social engineering and other web-borne threats to harm users. The inclusion of the malware and phishing blacklists in Google Chrome is a step in the right direction. Google state that the software checks a URL against their blacklist databases of web pages/sites that are known to have delivered malware and phishing attacks in the past.

Of course, that approach is mostly too slow to protect against transient threats, and most online threats today are highly transient. The bad guys register and invoke domains, or put their exploit payloads onto legitimate web sites they've been able to poison, for just the few days they'll be able to fly under the radar and not make it onto blacklists. The bad guys either shut the exploit down before making it onto the blacklists, or very soon after. So often these days, the threat is gone before it can be recorded into the blacklists. Worse, at least for the operators of legitimate sites that have been compromised, when the threats are detected and the sites added to the blacklists, the sites show up as infected even after the threats are gone.

AVG believes the best approach is real-time scanning that inspects each web page for exploits right when the user clicks on the link to visit it. That's the approach the AVG LinkScanner technology uses. This real-time scanning functionality is more effective against transient threats. The safe surf AVG LinkScanner Active Surf-Shield module in all paid AVG products does real-time scanning to detect infected and potentially-infected content as you browse the web. This real-time approach delivers the maximum protection simply not able to be provided by blacklists.

Best Regards, Lloyd Borrett
Marketing Manager, AVG (AU/NZ)
www.avg.com.au

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Google Chrome
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/170/gadwin-geforms/

Gadwin GeForms

GeForms allows you to create your own forms or fill in existing forms electronically. Using GeForms you are provided with sophisticated form design tools which ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia