Google's Chrome Browser Not Yet Secure

In theory, Chrome should be more secure than other browsers because, rather than being a single-threaded application, each tab is handled by its own sandboxed process.

Thomas Claburn, Editor at Large, Enterprise Mobility

September 3, 2008

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Google's Chrome browser is only a day old, but security researchers already have found vulnerabilities that can be exploited.

According to a report published by ZDNet, security researcher Aviv Raff has found that he can combine a flaw in the open source WebKit engine with a Java bug to dupe Chrome users into downloading executable files.

Apple, which uses WebKit in its Safari browser, fixed this flaw with its Safari 3.1.2 browser patch. Chrome uses an older version of WebKit that has not been repaired.

Another security researcher, Rishi Narang, claimed to have found a way to crash Chrome with a malicious link.

InformationWeek Reports

"An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27," Narang explained on the Evil Fingers Web site. "A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the Chrome crashes with a Google Chrome message window 'Whoa! Google Chrome has crashed. Restart now?' "

And someone identified as "Nerex" has posted proof-of-concept JavaScript code on Milw0rm.com that supposedly "allows files (e.g., executables) to be automatically downloaded to the user's computer without any user prompt."

This exploit appears to be similar to the one identified by Raff.

In theory, Google Chrome should be more secure than other browsers because, rather than being a single-threaded application, each tab is handled by its own sandboxed process with its own memory space. Like a multiengine plane, Chrome is designed not to crash following the loss of a single engine.

"[Chrome] utilizes technology that has historically been associated with operating systems to create isolation between different browser tabs with the aim of improved crash-resistance and security," IDC analyst Al Hilwa said in a research note. "The security capabilities also ensue from a new sandbox model that strengthens what is typically available today from other browsers."

But Chrome is beta software and remains a work in progress.

Hilwa observes that while Google's security architecture isolates the browser's kernel from attacks on rendering-engine vulnerabilities, it doesn't extend this same protection to plug-ins like Java, Flash, and Silverlight.

Mozilla software engineer Robert O'Callahan in a blog post said that while Chrome looks promising, Google's coders still have challenges to overcome. "There are some interesting architectural problems they haven't solved yet, especially with the process separation model, especially with regard to windowless plugins, and also Mac," he said. "These are problems that will be encountered by anyone doing process separation so it will be interesting to see how that goes."

Take a spin through our Google Chrome image gallery and have a look at the browser that's being touted as a game-changer.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights