Security vulnerabilities in Google Chrome

[David Baxter PhD]

Google Chrome vulnerable to carpet-bombing flaw
Posted by Ryan Naraine
September 2nd, 2008

Google?s shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks.

Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities ? a flaw in Apple Safari (WebKit) and a Java bug discussed at this year?s Black Hat conference ? to trick users into launching executables direct from the new browser.

Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

In the proof-of-concept, Raff?s code shows how a malicious hacker can use a clever social engineering lure ? it requires two mouse clicks ? to plant malware on Windows desktops.

The Google Chrome user-agent shows that Chrome is actually WebKit 525.13 (Safari 3.1), which is an outdated/vulnerable version of that browser.

Apple patched the carpet-bombing issue with Safari v3.1.2.

Some Google Chrome early adopters using Windows Vista are reporting that files downloaded from the Internet are automatically dropped on the desktop, setting up a scenario where a combo-attack using this unpatched IE flaw could be used in attacks.

 

[David Baxter PhD]

DoS vulnerability hits Google?s Chrome, crashes with all tabs

DoS vulnerability hits Google?s Chrome, crashes with all tabs
by Dancho Danchev
September 3rd, 2008

Whoa! Google Chrome has crashed. Restart now? While Google?s Chrome team is cheering, Rishi Narang from Evil Fingers is typing and releasing a proof of concept for a denial of service vulnerability that is successfully crashing the Chrome browser with all tabs. According to Narang?s advisory:

?An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a ?special? character, the chrome crashes with a Google Chrome message window ?Whoa! Google Chrome has crashed. Restart now??. It crashes on ?int 3″ at 0?01002FF3 as an exception/trap, followed by ?POP EBP? instruction when pointed out by the EIP register at 0?01002FF4.?​

Nothing?s impossible the impossible just takes a little longer.

Whenever a new product is in its introduction stage, it would logically attract a lot of attention from security researchers trying to a make a point that it?s vulnerable, and that some of the vulnerabilities are pretty trivial. For instance, yesterday David Maynor from Errata Security pinpointed possibilities for exploitation in Google?s Chrome, saying that:

?Google just released Chrome, their own web browser. We decided to run it through Looking Glass and it doesn?t look half bad. They at least have ASLR enabled on a few of their libraries, no NX though. Chrome is not as bad as some apps I have seen but that is not saying much.?​

What?s important though, is whether or not the browser release would also start attracting the attention of cybercriminals. Being anything but old-fashioned, they too do their homework and take into consideration the market share of a particular browser in order to increase the impact of exploiting it. Consequently, for the time being the level of exploitability of Google?s Chrome is right after Opera?s from the perspective of the malicious attacker taking into consideration Chrome?s non-existent market share.

Would the level of exploitability change? In the fist quarter of 2009, Google would presumably release stats of the number of people who downloaded Chrome, demonstrating nothing else but the introduction stage of their browser. The question is, how many of those who downloaded it would actually stick with it, and would companies embrace it if it does gets popular enough, potentially increasing the exploitability level of any upcoming vulnerabilities?

Considering the fact that according to public statistics of usage share of web browsers, IE6 users are just as many as IE7 ones, converting from Firefox or IE to Google?s Chrome is not going to happen overnight.

 

[Retired]

Re: Security vulnerability in Google Chrome

Google has released an update to Chrome today. It will update automatically or you can force an update by opening the Tools | About Google Chrome window and it will offer the update. This is a security update and also fixes the scroll wheel problem that a lot of people ran into.

 

[David Baxter PhD]

Re: Security vulnerability in Google Chrome

I haven't actually installed the original release yet.

 

[Daniel E.]

Re: Security vulnerability in Google Chrome

I was the first person on my block to try it (after reading about it in this forum), but I quickly went back to IE and Firefox.

 

[sister-ray]

Re: Security vulnerability in Google Chrome

Do we really need another browser? I think Opera is by far the best and the fastest.

 

[Daniel E.]

Re: Security vulnerability in Google Chrome

I listened to a story about it on public radio, and one point that was made was that Google could optimize their browser for their online apps like for typing documents and stuff.

 

[David Baxter PhD]

Re: Security vulnerability in Google Chrome

The only reason I have personally for installing it is to make sure people using it can view my sites reasonably well.

 

[sister-ray]

Re: Security vulnerability in Google Chrome

The only reason I have personally for installing it is to make sure people using it can view my sites reasonably well.

thats a pretty good reason

 

[David Baxter PhD]

Google Chrome vulnerabilities starting to pile up
by Ryan Naraine
September 5th, 2008

Security vulnerabilities in the new Google Chrome browser are beginning to pile up.

Following our coverage of the carpet bombing combo threat and denial-of-service crashes, several readers have sent pointers to Chrome exploit code floating around the Web:

• First up is an automatic file download bug found by researchers in the Ukraine. The proof-of-concept exploits (there are three) drop an executable (hack.exe) in the default download directory without any intermediate warning.
• Vietnamese research outfit SVRT-Bkis has published demo exploits for what is described as a critical buffer overflow that could lead to remote code execution attacks. ?The vulnerability is caused due to a boundary error when handling the ?SaveAs? function. On saving a malicious page with an overly long title (<title> tag in HTML), the program causes a stack-based overflow and makes it possible for attackers to execute arbitrary code on users? systems,? the group said. An attack scenario would require some form of social engineering.

Vulnerability researcher Robert ?RSnake? Hansen is very harsh in his response to Google?s decision to build its own browser:

If you build a browser in isolation, you don?t get the benefits and knowledge of the smart people who have come before you. Yes, Google?s browser is open source, like Firefox. But even Firefox came from Netscape, which had tons of background in the browser world, and Mozilla, too, has learned from a mistake or two. It is easy to call into question Google?s ability to build a safe browser given its rather poor track record in other areas of security. And no, you shouldn?t download it ? not if you care about your security. So, like cryptography, you shouldn?t build a browser unless you really, really know what you?re doing​

.
ModSecurity?s Ivan Ristic has a different reaction to the news of Google Chrome security hiccups:

The whole point of having a public beta release is expose a product to a wide audience and deal with the discovered problems prior to a stable release. The existence of security issues in Chrome is in line with our current inability to develop software free from security issues. Thus, people should not be distracted by the small problems that are now discovered. We should be looking at the big picture instead. Chrome is a browser that?s been designed from the ground up with security in mind. That?s bound to have a positive impact. We?ll know more about the impact once the details of its architecture surface.​

Ristic however called on Google to stop abusing the ?beta? tag because it unacceptably blurs the line between beta and stable. ?How else are users going to be able to judge what is acceptable for production use and what isn?t??

UPDATE: Google?s PR team e-mailed the following statement:

?We became aware of this vulnerability last night and began working on a fix immediately. We expect to release the fix soon through an automated update to the browser, so users will not have to take any action to be protected. As always, Google asks researchers to practice responsible disclosure, so potential vulnerabilities can be evaluated and fixed before they become public and before users are subjected to unnecessary risk. Security bugs for Google Chrome can be filed at code.google.com/p/chromium.?​