Chrome suffers first security flaw

On Wednesday, researchers announced a flaw in how the Google Chrome browser behaves with undefined handlers. An exploit provided as a demonstration crashes the new browser.

In an article on the Securiteam site, Rishi Narang from Evilfingers says a crash can occur without user interaction. If a user is provided a malicious link with an undefined handler followed by a special character, Chrome crashes.

In Google-speak, the browser displays a message "Whoa, Google Chrome has crashed. Restart now?"

Narang found the fault in chrome.dll version 0.2.149.27. More details can be found on this Evilfingers page.

And on Tuesday, mere hours after Chrome was released, researcher Aviv Raff concocted a proof-of-concept demo to show how the Google browser could be made vulnerable to a carpet-bombing flaw and thus open a window for ill-intentioned hackers.

Click here for full coverage of the Google Chrome launch.

[tacit]

Google is about to learn a lesson: World domination is easy. Security is hard.

[joetesta70]

HA! So much for the "sandbox".

Google is like a 1999 dot com. Free lunch, scooters everywhere. The only people pulling their weight are the search team...all others like Wordly, GMail Dodgeball and all the web based apps are like college term projects.

Did you see the live webcast where a reporter (missed her name) asked how they were going to psuh adoption of Chrome? Um....uh....we hope people will try it....

[joetesta70]

Tabbed "Sandbox" didn't work by the way...it crashsed the ENTIRE browser. Go to the URL above and see for yourself...

[Signal-Support-System-Spc]

This is in Beta version people. lol. That means it's for testing.

[rmva]

That's a cop-out. G-mail is STILL beta.

[joetesta70]

The sandbox was touted as major feature, yet it broke on the first day of testing. That shouldn't happen in a Beta.

[fuzbears]

But it does put into question their whole sandbox concept even in "beta" status, as it indicates their code architecture itself is not isolated.. Their sandbox should have been the one thing to get right before they put it out to public. Combine this with them were using a known bad version of webkit and they aren't acting like the best and brightest, they are just plain sloppy.

Now if google did not use "beta" to label all their products, we could excuse this more easily as an early look.

[jdzions]

Every service at Google is a "beta" except search and ads. That's Google's excuse for not having to actually make their products secure, robust, and reliable. Nonetheless, there are people who are building their own business infrastructure around Beta services from Google (Gears, spreadsheets, word processing...). Those people will be forever slammed by problems just like this one... and Google apologists around the internet will say "But it's just a beta, people, what did you expect..."

Either Google is ready for corporate America to rely upon (in which case they need to ditch the "beta" excuse and build their stuff right), or it isn't. Pick one.

[cdotspace]

I like the way Chrome reveals all of your stored passwords in OPTIONS without complaint.

[M_K_Higa]

Mine only showed the URL and user name. It didn't display the password.

[acedanger49]

I love the way Firefox3 does this exact same thing! Idiots...




(note the heavy use of sarcasm here)

[denigma78]

You have to configure Chrome not to save or show your passwords. I've been using the browser for about a day now and it has not saved any of my passwords. You have to go to the wrench icon and choose don't save passwords.

[JunkSiu]

Well, just like " Signal-Support-System-Spc" said, this is a beta. Moreover, it is a first version beta. It is very obvious that there are lots of place it needs touch up.

[joetesta70]

You're missing the point. This is pretty major if it crashes the whole browser. It's supposed to be a key differentiator. Now it's hard to know if it can be trusted.

[umbrae]

LOL.... I wonder if the researched demoed this like a comic book like Google's Chrome intro.

[tbsteph]

Ever wonder why these "security" related researchers can find flaws within hours yet the product developers cannot?

[Vegaman_Dan]

That means Google is hiring the wrong people to research and test the product before releasing it to the public. :)

[Penguinisto]

So Dan... does this mean (by your logic) that Microsoft absolutely, positively, has naught but incompetent coders within their ranks? Because Windows exploits usually come forth within 24 hours of a patch.

Or, more likely, because it's a lot easier to let Metasploit (or any homebrew fuzzer) pound on something for awhile than it is to write the code in the first place.

[ittesi259]

The problem with all the attention that Chrome is getting is that very few outlets are stating clearly that its a beta. Therefore it is not finished, has unknown and probably known bugs and is using the media's love of google to expand their test base.....so user beware.

[joetesta70]

GMAIL is still beta. So is Google Docs and everything else. That's not a valid argument. It's major egg on their face.

[Kwasiowusu]

Next time Google takes yet another cheap shot at IE/Window sercurity, we know exactly what to tell them. As Google is finding out, its far easier to attack and destroy than to actually build secure web porducts that consumers install on their computers and use.

[skillingssucks]

The Kwasiouwusu monkey doesn't know what "beta" means. Figures.

[Penguinisto]

Yeah, they'll say: "see, the worst that can happen with ours so far is that the app crashes. The worst that can happen with IE is that the user's machine gets turned into some script-kiddie's personal b!tch"

[Kwasiowusu]

Penguinisto :"Yeah, they'll say: "see, the worst that can happen with ours so far is that the app crashes. The worst that can happen with IE is that the user's machine gets turned into some script-kiddie's personal b!tch"

You'd better read the rest of the article..especially this part:

"And on Tuesday, mere hours after Chrome was released, researcher Aviv Raff concocted a proof-of-concept demo to show how the Google browser could be made vulnerable to a carpet-bombing flaw and thus open a window for ill-intentioned hackers."

There is ALREADY a big security hole in CHrome.

[Kwasiowusu]

@ skillingssucks: "The Kwasiouwusu monkey doesn't know what "beta" means. Figures."

The skillingssucks shill hasn't heard of sandbox. Figures.

[joetesta70]

Let's face it - it's been in development for 2 YEARS (according to their own webcast). it's egg on Google's face and an "amateur hour" on the browser team.

[Dalkorian]

by skillingssucks September 3, 2008 10:17 AM PDT
Now let's really face it: You're amateur when it comes to programming and tech knowledge.
-----------------------------------------------------------------------
I'm just curious, what gives you the idea that joetesta has *EVER* written even one line of code?

[techman21]

What Google product ISN'T beta (besides search)? It's an easy way to lower expectations and have your users accept your flaws more readily.

[Me--]

Of course mighty google's browser is going to be flawless when it comes out of beta state as some are suggesting here... how long has gmail been in beta btw??

[skillingssucks]

Just admit that you're completely ignorant of Google's "beta" philosophy.

[Vegaman_Dan]

I tried it. It was very fast to display simple sites. It didn't like flash at all though, and couldn't display content that Firefox, Safari, and IE could. I expect that to change over time.

I couldn't find a home button. No simple home button on the main screen itself. I can see a market for a lot of plugins to bring this unit to the same basic out of the box functionality that Safari/FF/IE has. It has a lot of potential, but a lot of missing features as well.

[inspectorrick]

You can easily add a homepage button by opening the options section, and clicking on the add home button title there. It places it on the left hand side of the page at the top...

[sketchee]

The home button isn't on by default, but you can turn it on in the options menu

[Vegaman_Dan]

Thanks for the suggestions on adding a home button. That sort of thing is something I'd expect on by default in a browser.

[Penguinisto]

As per security, maybe they should've released Chrome for an OS that wasn't such a nightmare to secure... and not just Windows.

Incidentally, if all it does is crash the browser, that's not even an actual security issue (now if that crash leads to a compromise or crashed the entire machine, that's a different story). If Chrome is anything like Firefox, a crash doesn't even mean that you lose any of the sites you were visiting.

Call me when it can actually do more than that (like when IE can let a malicious script turn your computer into a zombie, etc).

/P

[joetesta70]

This has nothing to do with the OS and you don't know what you're talking about. I lost all of the sites I was visiting.

[Vegaman_Dan]

When it crashes, do you know what the consequences are? Have you performed that level of diagnostic and research yet yourself? If you haven't done this, then you really have no evidence to say it does or does not compromise security on the product or the OS that it is installed on.

Call me when you stop being a Microsoft bigot.

[Penguinisto]

@ the MSFT shill crowd:

* Yes, the consequence is that it crashes and you have to restart. Read the fscking research.

* Yes, it has everything to do with the underlying OS, since the app has to operate within the OS, use its API set, etc etc.

* joetesta, your sense of literacy is sorely lacking: I said "If" at the beginning of the sentence.

[Kwasiowusu]

@ by Penguinisto : "Incidentally, if all it does is crash the browser, that's not even an actual security issue "

Perhaps you'd better read the rest of the article, especially this part:

"And on Tuesday, mere hours after Chrome was released, researcher Aviv Raff concocted a proof-of-concept demo to show how the Google browser could be made vulnerable to a carpet-bombing flaw and thus open a window for ill-intentioned hackers"

Chrome alraedy has a big security hole in it that opens it up to "ill-intentioned hackers".
And that was within HOURS of release?
No Chrome, no way.

[mbenedict]

@penguinisto

By definition, the ability to cause a program to crash is a security issue. Read up what the "A" in C-I-A triad means.

Further, a crash means there's an underlying problem which could potentially be further exploited. Often in security we "fuzz" an application to see if we can crash it, then from there see if we can exploit the problem. Since the Chrome source code is not yet available it's going to take time see if it's exploitable.

The second issue (carpet bombing) is also very serious despite Apple's initial efforts to bury-head-in-sand, as Ryan Naraine explained:

http://qwix.com/1d

Obviously a patch is available for this issue and Google needs to release an updated Chrome immediately.

Carpet bombing is a failure to handle iframes properly and lets an attacker to drop arbitrary files onto the user's system.

Suppose the crash Rishi found (or another issue we yet know) was further exploitable so an attacker can run arbitrary code. Now suddenly an attacker could combine these two flaws to drop malicious code and immediately run it.

That would be a massive security hole by anyone's standards.

[Vegaman_Dan]

Be advised that Penguinisto's only purpose in posting was to attack Microsoft's IE and has nothing to do with Google's product. His hatred for all things Microsoft sometimes leaves him blind to the obvious, I'm afraid.

Now once he has performed the amount of research necessary to demonstrate that the flaw does or does not compromise the host system, he really has no basis for his comments. It's all FUD.

[Penguinisto]

The worst that can happen is a DoS of the app (considering that it breaks somewhat sanely and doesn't commit a buffer overflow or a race condition). That barely ranks any higher than an inconvenience. If you read the post, you would have seen: "now if that crash leads to a compromise or crashed the entire machine, that's a different story".

/P

[Dalkorian]

by Penguinisto September 3, 2008 2:22 PM PDT
If you read the post, you would have seen: "now if that crash leads to a compromise or crashed the entire machine, that's a different story".
------------------------------------------------------------------------------
LOL. Thanks Peng. Expecting winblows users to be able to read AND comprehend something - that's a good one.

[onlyauser]

Do not trust Google Chrome.

Chrome is spyware mascaraing as a browser.

[Dalkorian]

Got any proof? Not that I'm arguing with you, I think there are few other reasons for Google to do this, but "I heard from some anonymous person on a blog on the internet ..." never sits well with me, or with others.
;-)

[chromdome]

It's beta dudes! That means lotsa stuff needs focus. That's how we get it to where we want it. Remember LINUX? MOZILLA? WINDOWS 98? 2000?

OK - kush fueled conspiracy theories aside - it's flawed. Got as many bugs as a Louisiana porch on a mid-summer night.

Here's what I got.

SUSPICIOUS.

IMMEDIATE:

Microsoft HOTMAIL BROWSER UPGRADE is triggered by accessing MS HOTMAIL via CHROME. This stinks. It's industrial/legal complex sanctioned viral code that will screw you like a hungry female mosquito looking for blood for her young. (Thankyou Mr. Steve "Gawd I Love This Company' Ballmer.)

Tequila shot #1. Blow that sucker with kindness and 40 proof.

It happens when you access MSFT websites via CHROME. (Didn't Google know this was a high probability?)

All my email sites are compromised. Weird messages - invitations to 'upgrade' my web-email browser. Works with IE - FIREFOX and some Apple sites.' But - where is Chrome STEVE?


CRASHES.

Anyhing to do with Microsoft .

Google CHROME code triggers 'won't function' within Microsoft apps.

Still searching.

Like the premise - maybe it will shift MS into smarter mode.


chromdome.



CRASHES. All emai

[dadu53]

So you got it to run??? How did you do that???

[dadu53]

I've downloaded Google Chromw 3 times with no success in getting it to run. What am I doing wrong????? Please I need some assistance.

[Imalittleteapot]

I won $20 off this. I predicted the sandbox model wasn't a silver bullet and bet my friend which is cool because I can never predict anything correctly. I also had absolutely no reason to believe I'd be correct either. Just based it on blahhh. However, I don't ever think the sandbox model will live up to developers hopes 100 percent entirely. Making separate processes talk to each other on Windows is somewhat straight forward, but it's not all fun and games.

Anyway, there's not a single person here that could have done any better even if they had 25 years to do it. I don't care who you are. When your app gets released to the general public it's going to break. I'll wait to judge how many flaws it has when it is out of beta. Even when it is out of beta it will still have flaws, but we'll see if they're more or less than FF and IE and Opera.