Google's Chrome Browser Not Yet Secure - InformationWeek
IoT
IoT
Mobile // Mobile Applications
News
9/3/2008
01:37 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
RELATED EVENTS
Ransomware: Latest Developments & How to Defend Against Them
Nov 01, 2017
Ransomware is one of the fastest growing types of malware, and new breeds that escalate quickly ar ...Read More>>

Google's Chrome Browser Not Yet Secure

In theory, Chrome should be more secure than other browsers because, rather than being a single-threaded application, each tab is handled by its own sandboxed process.

Google's Chrome browser is only a day old, but security researchers already have found vulnerabilities that can be exploited.

According to a report published by ZDNet, security researcher Aviv Raff has found that he can combine a flaw in the open source WebKit engine with a Java bug to dupe Chrome users into downloading executable files.

Apple, which uses WebKit in its Safari browser, fixed this flaw with its Safari 3.1.2 browser patch. Chrome uses an older version of WebKit that has not been repaired.

Another security researcher, Rishi Narang, claimed to have found a way to crash Chrome with a malicious link.

InformationWeek Reports

"An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27," Narang explained on the Evil Fingers Web site. "A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the Chrome crashes with a Google Chrome message window 'Whoa! Google Chrome has crashed. Restart now?' "

And someone identified as "Nerex" has posted proof-of-concept JavaScript code on Milw0rm.com that supposedly "allows files (e.g., executables) to be automatically downloaded to the user's computer without any user prompt."

This exploit appears to be similar to the one identified by Raff.

In theory, Google Chrome should be more secure than other browsers because, rather than being a single-threaded application, each tab is handled by its own sandboxed process with its own memory space. Like a multiengine plane, Chrome is designed not to crash following the loss of a single engine.

"[Chrome] utilizes technology that has historically been associated with operating systems to create isolation between different browser tabs with the aim of improved crash-resistance and security," IDC analyst Al Hilwa said in a research note. "The security capabilities also ensue from a new sandbox model that strengthens what is typically available today from other browsers."

But Chrome is beta software and remains a work in progress.

Hilwa observes that while Google's security architecture isolates the browser's kernel from attacks on rendering-engine vulnerabilities, it doesn't extend this same protection to plug-ins like Java, Flash, and Silverlight.

Mozilla software engineer Robert O'Callahan in a blog post said that while Chrome looks promising, Google's coders still have challenges to overcome. "There are some interesting architectural problems they haven't solved yet, especially with the process separation model, especially with regard to windowless plugins, and also Mac," he said. "These are problems that will be encountered by anyone doing process separation so it will be interesting to see how that goes."

Take a spin through our Google Chrome image gallery and have a look at the browser that's being touted as a game-changer.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll