In theory, Chrome should be more secure than other browsers because, rather than being a single-threaded application, each tab is handled by its own sandboxed process.
Google's Chrome browser is only a day old, but security researchers already have found vulnerabilities that can be exploited.
According to a report published by ZDNet, security researcher Aviv Raff has found that he can combine a flaw in the open source WebKit engine with a Java bug to dupe Chrome users into downloading executable files.
Apple, which uses WebKit in its Safari browser, fixed this flaw with its Safari 3.1.2 browser patch. Chrome uses an older version of WebKit that has not been repaired.
Another security researcher, Rishi Narang, claimed to have found a way to crash Chrome with a malicious link.
"An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27," Narang explained on the Evil Fingers Web site. "A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the Chrome crashes with a Google Chrome message window 'Whoa! Google Chrome has crashed. Restart now?' "
This exploit appears to be similar to the one identified by Raff.
In theory, Google Chrome should be more secure than other browsers because, rather than being a single-threaded application, each tab is handled by its own sandboxed process with its own memory space. Like a multiengine plane, Chrome is designed not to crash following the loss of a single engine.
"[Chrome] utilizes technology that has historically been associated with operating systems to create isolation between different browser tabs with the aim of improved crash-resistance and security," IDC analyst Al Hilwa said in a research note. "The security capabilities also ensue from a new sandbox model that strengthens what is typically available today from other browsers."
But Chrome is beta software and remains a work in progress.
Hilwa observes that while Google's security architecture isolates the browser's kernel from attacks on rendering-engine vulnerabilities, it doesn't extend this same protection to plug-ins like Java, Flash, and Silverlight.
Mozilla software engineer Robert O'Callahan in a blog post said that while Chrome looks promising, Google's coders still have challenges to overcome. "There are some interesting architectural problems they haven't solved yet, especially with the process separation model, especially with regard to windowless plugins, and also Mac," he said. "These are problems that will be encountered by anyone doing process separation so it will be interesting to see how that goes."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.