Google Chrome Security Vulnerabilities

[wige]

Google Chrome Beta has been available for a few days, and hackers and security analysts have apparently been quite busy picking it apart. The following is a summary of known, confirmed and in the wild vulnerabilities that the current build of Google Chrome is affected by:

1. Carpet Bombing: Google Chrome uses AppleWebKit/525.13, the same build of WebKit that is used in Safari, which has been demonstrated to suffer from a critical flaw where the browser will download, install and execute certain files without user intervention. This is actually a shared vulnerability that combines a bug in WebKit with a flaw in Java, allowing JAR files to be executed while bypassing the Operating System's protection scheme. See: US-CERT Current Activity
2. Undefined Handler Exception: Using URLs containing certain strings followed by a certain character can cause all tabs and processes under Google Chrome to crash.
3. App Mode: When visiting certain sites, such as GMail, Chrome opens in a full screen application mode. While in this mode, Chrome hides the address bar. Specially crafted links and even desktop shortcuts can mimic this behavior while sending the user to a malicious phishing site. See: The Way I Think | Security Vulnerability with Google Chrome

As with the release of any new browser software, make sure you take all possible security steps to protect your system and network while testing the application. Now is the time to see how quickly these issues are patched. In today's security landscape, this is often the litmus test for network applications. When the Safari bug was released, Apple took over two months to release a patch.

[wdillsmith]

Those are great tips, thanks. I actually just downloaded it but I don't plan on using it for my main browser. I just want to make sure my site renders okay, then I'll leave it off until a newer, non-beta version comes out.

[avoir des goûts simples]

Google Chrome is still on its Beta version, so some bugs and security holes can be experienced in using the browser. Lets wait for the final version then lets see if it is secure or worth it.

[Andilinks]

I have just road tested Chrome and it is very very fast! But the security issues wige points out make it a bit like a race car with bad brakes.

There are other issues which may be narrow but show that this thing was probably rushed out to meet IE8.

If you run UltraMon on multiple monitors you'll find that Chrome does not display the Ultramon buttons on the title bar. If you have your task bar set to auto-hide you'll find that it won't unhide over Chrome.

Chrome may be the "browser of the future" but it falls a little short of being "browser of the present."

[deepsand]

And, it's also a memory hog.

PC World - Researcher: Chrome's Isolated Tabs Make It Memory 'Pig'

[deepsand]

PC World - Early Security Issues Tarnish Google's Chrome

[chrisJumbo]

Quote:

Originally Posted by deepsand

And, it's also a memory hog.

PC World - Researcher: Chrome's Isolated Tabs Make It Memory 'Pig'

It is a memory hog, but as the article explains it does that by design. And it beat out IE in other tests. I haven't looked at it yet. We do have some slower machines in the office, it would be interesting to see how it does.

[deepsand]

Quote:

Originally Posted by chrisJumbo

It is a memory hog, but as the article explains it does that by design. And it beat out IE in other tests. I haven't looked at it yet. We do have some slower machines in the office, it would be interesting to see how it does.

Being a memory hog "by design" is good?

Are users going to spend $$$ to upgrade or replace their hardware just so they can use IE8 or Chrome?

Did they do/are they doing that for Vista?

[chrisJumbo]

Quote:

Originally Posted by deepsand

Being a memory hog "by design" is good?

It could be "good". As it is now if you have multiple tabs open and a site on one tab crashes, the entire browser goes down along with anything you might have been working on such as blog posts, web initiated database updates, etc. in the other tabs. As I understand it, if I were using Google Chrome, only that bad tab would close, the browser and my other tabs would remain operational.

Whether the same could be done without being such a memory hog, I don't know.

[deepsand]

Being a memory hog is neither good nor a design goal; rather, it is a consequence of design choices. That the goal which guided the design choices may be laudable does not serve to make the undesirable consequence less undesirable.

Being a memory hog means that it will unsuitable for use on many machines, with the result that it will go unused by many owing to the lack of desire and/or ability of users to spend money to upgrade their platforms for the mere use of a certain browser.

A good intention comes to naught if it's not easily realized.

[Orion]

Quote:

Originally Posted by deepsand

Being a memory hog means that it will unsuitable for use on many machines, with the result that it will go unused by many owing to the lack of desire and/or ability of users to spend money to upgrade their platforms for the mere use of a certain browser.

Note: that Chrome, even being a memory hog still 'hogs' less memory than firefox does... and that is still faster on my systems here than IE7 is ...

Would be nice to see if their able to curb its appetite.

Initial reports on the IE8 have raised my eyebrows though.. Could be a real shocker.. a good working product, from microsoft???!!!!!! almost hard to believe! (lol)...

[deepsand]

Quote:

Originally Posted by Orion

Note: that Chrome, even being a memory hog still 'hogs' less memory than firefox does... and that is still faster on my systems here than IE7 is ...

Would be nice to see if their able to curb its appetite.

Initial reports on the IE8 have raised my eyebrows though.. Could be a real shocker.. a good working product, from microsoft???!!!!!! almost hard to believe! (lol)...

What version of FF?

As for IE8, I too was taken aback by the good grades it has garnered. However, given my intense dislike of IE7, it'll take more than favorable reports to sell me on IE8.

[cbosleeds]

One thing of interest about Chrome which I haven't fully tested yet, is that there is some possibility that it is picking up Google updates faster than IE or Firefox. On Tuesday I was having a look in the SERPS for a customer and on FF3 and IE7 they came up page 2 2nd on Google.co.uk - on Chrome they came up page 1 8th for the same search term on google.co.uk - this situation persisted until Weds when searches on google.co.uk through FF and IE caught up.

Whether or not this is an aberration or anything significant remains to be seen.

[deepsand]

Quote:

Originally Posted by cbosleeds

One thing of interest about Chrome which I haven't fully tested yet, is that there is some possibility that it is picking up Google updates faster than IE or Firefox. On Tuesday I was having a look in the SERPS for a customer and on FF3 and IE7 they came up page 2 2nd on Google.co.uk - on Chrome they came up page 1 8th for the same search term on google.co.uk - this situation persisted until Weds when searches on google.co.uk through FF and IE caught up.

Whether or not this is an aberration or anything significant remains to be seen.

There are any number of factors which would serve to explain your observations that are wholly unrelated to the browsers themselves; and, none related to the browsers other than a deliberate attempt by Google to manipulate the results based on the browser being used. I would discount the latter.

[kgun]

This browser should not have been launched on the home page of the web's most popular search engine. IMO, it should have been launced silently on the lab's pages, or as a tool for webmasters. If you don't understand that this browser is fast, you don't know much about programming. Worse then, is the huge use of memory for a small browser.

[Terry Van Horne]

Google Launches Cloud Operating System 'Chrome' And Calls It A "Browser"
Henry Blodget

Sums it up for me pretty well. It's not a browser. It's clean because the widgets "office" apps are plugins. It will be slow as mo and be about as secure as a screen door for a while.

[deepsand]

Excerpted from Google Chrome: Browser Or Cloud Operating System? - Analytics - InformationWeek

"One of the more troubling things about Google Chrome is something I found in its Terms of Service agreement (which most people click through without reading before downloading Chrome).

"17. Advertisements

17.1 Some of the Services are supported by advertising revenue and may display advertisements and promotions. These advertisements may be targeted to the content of information stored on the Services, queries made through the Services or other information.

17.2 The manner, mode and extent of advertising by Google on the Services are subject to change without specific notice to you.

17.3 In consideration for Google granting you access to and use of the Services, you agree that Google may place such advertising on the Services."

Google is an advertising company, and they already collect a huge amount of personal data on everyone to target ads at us. Being the browser vendor will give them that much more personal and behavioral data, which will be even more worrisome if the Chrome browser evolves into a cloud operating system."

[Terry Van Horne]

Quote:

Originally Posted by deepsand

Google is an advertising company, and they already collect a huge amount of personal data on everyone to target ads at us. Being the browser vendor will give them that much more personal and behavioral data, which will be even more worrisome if the Chrome browser evolves into a cloud operating system."

I get advertising... as it is the only way to truly combat software piracy. I don't want them collecting any data on my computer use that is NOTFB and I'll gladly pay to keep it that way!

[deepsand]

What does "Don't be Evil" really mean?

Google Fixes Chrome's End User Terms Of Service -- Google Chrome -- InformationWeek

[kgun]

Quote:

Originally Posted by Terry Van Horne

I don't want them collecting any data on my computer use that is NOTFB and I'll gladly pay to keep it that way!

Personal advice.

1. Use the Opera Browser and write opera:config in the address field.
2. Learn advanced Opera configuration and your problem will be reduced (eliminated).

[Peter (IMC)]

Main problem I'm having with Chrome is that it's really bad with flash files. Hangs the browser up very often for like 5 to 20 seconds. In that time I can't do anything with Chrome,.. I just have to wait until it has recovered itself.

Sometimes when you switch to another tab, the screen updates as if you´re downloading an image way back in 1994. Line by line.

[deepsand]

PC World - Google Bends to Chrome Privacy Criticism

[deepsand]

Google Chrome Hit With Another Security Bug - Security - IT Channel News by CRN and VARBusiness

[yserfriendly]

A great way to make a product better eh? Just send out a Beta and let hackers give a free review.
They just have nothing better to do.

[deepsand]

They just don't make Betas like they used to.

[Peter (IMC)]

Quote:

Originally Posted by yserfriendly

A great way to make a product better eh? Just send out a Beta and let hackers give a free review.
They just have nothing better to do.

Quote:

Originally Posted by deepsand

They just don't make Betas like they used to.

The best captains usually are on shore I guess.

Isn't that the way Microsoft does it? FireFox is developped in the same way,... pretty much all software is built like this.

In the old days software was just much simpler, so obviously a lot less could go wrong with it.

[deepsand]

Quote:

Originally Posted by Peter (IMC)

In the old days software was just much simpler, so obviously a lot less could go wrong with it.

In the "old" days software was not "much simpler;" in fact, from the developer's standpoint, it was much more complicated, owing to much of it being done in machine and/or assembly languages.

What has changed is that:

1) Current applications, being developed using suites of "design environments," insulate the developers from the resultant code, making for opaque code, which results in making testing more difficult; and,

2) Quick & easy on-line deployment of both the initial release and subsequent "bug fixes" makes for less care being given to the initial release.

In the "old" days, beta software & hardware were both delivered to select groups of professional users, i.e. data centers with both systems and application programmers, with the result that problems were more quickly & properly identified and reported, with fixes being more rapidly provided. The betas of yesteryear were, for the most part, very much closer to being ready for prime time than those of today.

Nowadays the approach is more akin to throwing a pile of shit at the wall & seeing how much sticks, with many being little to no more than alpha releases.

[Peter (IMC)]

You´re not getting it. You´re looking at it from the developper's point of view. But you have to look at the software it self, not the way it is developped.

Sure, now a days developpers have a lot more tools available than before. Now they can build software that is much more complicated (in functionality) than in the old days. This is why bugs are much more likely to exist.

Doing development the old way like you describe has 2 disadvantages: Extremely expensive and extremely slow.

Also keep in mind that we´re talking about a browser and not financial management software in which mistakes are much worse. There is a difference. Also it's opensource which is another reason for leaving more to the market.


I don't like it when people say that things were better in the old days. It irritates me and is at best a sign that people have stopped learning and refuse to open up to progress.

[deepsand]

Quote:

Originally Posted by Peter (IMC)

You´re not getting it. You´re looking at it from the developper's point of view. But you have to look at the software it self, not the way it is developped.

How it is developed has a direct bearing on the results.

Quote:

Originally Posted by Peter (IMC)

Sure, now a days developpers have a lot more tools available than before. Now they can build software that is much more complicated (in functionality) than in the old days. This is why bugs are much more likely to exist.

That the functionality of the whole may be greater does not preclude one from designing at the level of the parts. Bugs are more likely to exist, not because the parts are "more complicated," but because the whole is created by packaging many generalized parts, each of which is a compromise, rather than developing parts that are optimized for the particular whole. The result is a plethora of unknown and unintended interactions, which, being unknown, hinder adequate testing.

Quote:

Originally Posted by Peter (IMC)

Doing development the old way like you describe has 2 disadvantages: Extremely expensive and extremely slow.

The "old" way, which did not entail using a sledge hammer to drive in a tack, which is what using "software development environments" (SDE) is, is not necessarily either more expensive or slower than the "new" way of using SDEs.

Quote:

Originally Posted by Peter (IMC)

Also keep in mind that we´re talking about a browser and not financial management software in which mistakes are much worse. There is a difference.

Tell that to the person whose financial accounts were compromised owing to a browser flaw.

Quote:

Originally Posted by Peter (IMC)

Also it's opensource which is another reason for leaving more to the market.

Of what relevance is this? Are you saying that open source code is inherently inferior to proprietary code? And that the only way to improve it is to seek the aid of the public ?

Quote:

Originally Posted by Peter (IMC)

I don't like it when people say that things were better in the old days. It irritates me and is at best a sign that people have stopped learning and refuse to open up to progress.

It may also be a sign that some things have in fact taken a turn for the worse. And, that some take offense at having their work criticized for being less than it could be.

[Peter (IMC)]

The last thing I want to do is to critisize the old ways. Everything is contemporary. The cars developed in 1934 were the best cars that could be made in 1934. There is nothing one can say that would indicate the people that developed them were less smart or did a less good job than people that develop cars in 2008. But you have to admit that a car developed in 2008 is much better than a car developed in 1934. At the same time, there are tons of things that can go wrong with a car developed in 2008 that could never go wrong in cars developed in 1934. (at least I never heard of a 1934 Ford with a faulty memory that causes it not to start.)

This is not about the people, all I'm saying is that the more complex things are, the more likely it is that there are bugs. When 5 things go wrong in a complex system that consists of 8000 parts you´re actually doing better than when 1 thing goes wrong in a system of 500 parts. However, on the outside it looks like it's 5 times more problems.

[kgun]

Programming today is in some way much easier and well structured

• MPSOFTWARE » Home of phpDesigner 2008 » Fast Powerful PHP IDE & PHP Editor!
• Home - www.phpedit.com
• phpJobScheduler - scheduling PHP scripts to run at set intervals your replacement for cron jobs

but at the same time much more complex (break it down in its smallest elements, test, test again and compile and link the components together). Code reuse is a main principle in object oriented programming that in a sense revolutionized programming. Design patterns generalized it further. (See last link in my signature for more information). That does not mean that procedural C programs with minimal overhead is best for some number chruncing applications, may be not for a web browser where the GUI is important. And it is the GUI that may make a program less transperent even if intellisense technology make developement extremely fast, but also complex.

The Google Chrome code is based on new concepts like cloud computing and JavaScript is compiled behind the scenes using the Danish V8 engine. This and the security model will be studied in detail by the other browser vendors.

Related link: New Firefox JavaScript engine is faster than Chrome's V8

Quote:

Originally Posted by Peter (IMC)

Also keep in mind that we´re talking about a browser and not financial management software in which mistakes are much worse. There is a difference. Also it's opensource which is another reason for leaving more to the market.

Quote:

Originally Posted by deepsand

Tell that to the person whose financial accounts were compromised owing to a browser flaw.

A program is no better than the person(s) who coded it. Good coders test retest and refactor their code. The best programmers rely on their own programming skills.

[deepsand]

Google Chrome's Shine Is Fading -- Google Chrome -- InformationWeek

[deepsand]

Quote:

Originally Posted by JeyrameXRu

Hello sirs Anybody can give me link to the XRumer's homepage?Or maybe some information...Thank you very much!!!P.S. Âîò óðîäû...

Aside from the fact that such is both obvious & easily obtained, 1) what has such to do with the subject of this thread; and 2) why would we be interested in assisting anyone interested in forum spamming?

[deepsand]

PC World - Google Patches Chrome 'Carpet Bomb' Bug

[deepsand]

PC World - Google Updates Chrome to Third Beta

[deepsand]

Google Chrome Privacy Issues Prompts Plea To Google Execs -- Google Chrome -- InformationWeek

[computek7]

Though Google Chromes interface is pretty good, I feel that lot of addons has been coming up. As the google chrome browser has been in the testing phase still, there would be loop holes for vulnerabilities, which google will fix up in the future releases or even updates.

It always good, that we dont give an remember passord option in the Google chrome for sometime, until its release gets stable, and makes us think, its upto our satisfaction level and reaches the security level.

Thanks,

Yuvaraj
K7 Computing
The Pro in Protection
www.k7computing.com

[deepsand]

Google Quietly Patches Chrome - PC World

[deepsand]

Browser Bug Report: Chrome Buggier Than Firefox or IE - PC World

[deepsand]

Google Chrome May Leave Beta Soon - PC World

[deepsand]

It's Official: Google Chrome Exits Beta - PC World

[deepsand]

Google: A Matter of Trust - PC World

[deepsand]

Google Updates Chrome - PC World

[kgun]

I don't rely on that browser.

Google Answers Some Tricky Questions

Business is war. (Page search that term)

Business is war, but we are not evil, music or noise?

[deepsand]

Google Previews Chrome 2.0 - PC World

[kgun]

I think Opera are studying that open code and may use it to improve their browser's security model.

[deepsand]

Google Says Chrome Will Be Forever in Beta - PC World

[kgun]

That is different from the above post

<quote>
Thursday announced that its Chrome browser would be in a "never-ending" beta test, and gave users three options to update their copies at varying intervals.
</quote>

"never-ending"

[deepsand]

It's probably more accurate to say that there will continually be a revision in either alpha or beta, but not both.

[deepsand]

What Is Google Really Doing With Chrome? - Business Center - PC World