Thursday, September 4, 2008

Security Exploits to Google Chrome Browser Emerge

Google's Chrome Web browser -- complete with quirky marketing comic book -- made a splash when announced on Tuesday, but what a difference a day makes. On Wednesday, proof-of-concept bugs affecting the Internet app were disclosed.

First, Rishi Narang, who is part of the EvilFingers security portal, identified a denial-of-service vulnerability that has crashed the Chrome browser when tabs are open during an Internet session.

A second proof-of-concept vulnerability also emerged on Wednesday that allows a malformed URL to crash or "carpet bomb" the Chrome browser. This exploit was discovered when independent researcher Aviv Raff figured out that he could combine two vulnerabilities -- a flaw in Apple Safari (WebKit) and a Java bug discussed at this year's Black Hat conference. His exploit tricks users into launching executables directly from the new browser.


Google's Chrome browser is partly based on open source software components used in Mozilla's Firefox and Apple's WebKit. The malformed URL vulnerability is based on the WebKit problem that similarly affected the Apple's Safari browser. Apple has since patched Safari, but Google is using a version of the WebKit that is vulnerable to this kind of attack, experts say.

Debates across the IT security community have noted that Microsoft Internet Explorer 8, currently at Beta 2, comes with a bevy of security and privacy functions. Meanwhile, Google, observers say, is far more likely to press for a release that does not meet the more stringent security requirements that IT pros in the enterprise space are used to seeing.

"As was the case a decade ago at Microsoft, inside of Google, marketing still appears to carry a much bigger stick than the security folks do," said Randy Abrams, director of technical education at San Diego-based security software company ESET. "This makes it impossible to place the proper emphasis on security. As a result, Google will be responding to flaws much more often than proactively preventing vulnerabilities."

Mixed Reaction Among Security Pros
Critics contend that Microsoft's offering will continue to be more secure than Google's because of Microsoft's greater emphasis on security these days. Google has not yet worked out all the technical considerations amid the flying confetti.

It's likely that Google's Chrome will be plagued by the same vulnerability issues faced by Internet Explorer, Mozilla and Safari, said Mandeep Khera, of Santa Clara, Calif.-based Cenzic Inc. in an e-mail statement.

"The question is how will Google protect against common Web application security issues such as cross-site scripting and cross-site request forgery? Additionally, since it is based on the WebKit used by Safari, it is possible that some of these known vulnerabilities will be propagated," Khera said.

For his part, Phil Lieberman, president of Lieberman Software, a Los Angeles-based Windows application security support company, is not at all impressed. He said that perhaps if Google can make Chrome "cool," they might be able to "get all of the Apple/Mac/iPhone sheep to follow them," but he contends that serious enterprises are not into "cool or into Google as an enterprise partner."

"Enterprises are not going to change," Lieberman said. "Reason: they don't need more security holes in their infrastructure caused by untested software. By the way, if the browser goes 'big time/melt the enterprise down to molten lead' bad, who are you going to call to solve it?"

In that vein, analysts contend that Microsoft's hosted offerings, such as Dynamics CRM Online, Exchange Online and SharePoint Online, will fare better in terms of security than Google's products in the enterprise space because of Redmond's existing channel customer and product support infrastructure.

"Bottom line is this: Google does not answer their phones. Microsoft does," Lieberman argued. "Microsoft provides support, makes money from their applications, has a reputation to protect. That gives them the edge in the near and long-term."

Security the Google Way?
At this point, the only thing completely secure about the Google browser is how tight-lipped the search engine giant is about security questions. The company wouldn't comment on current developments, but pointed to its official announcement, written by Sundar Pichai, Google's vice president of product management, and its engineering director Linus Upson.

In the post, Google said users can stay safe by "keeping each tab in an isolated sandbox to prevent one tab from crashing another and provide improved protection from rogue sites."

Wolfgang Kandek, CTO of Redwood Shores, Calif.-based network security firm Qualys Inc., contends that based on his initial observations of the Beta version, the Google Chrome browser protects indirectly against some of the more common threats, such as cross-site scripting and cross-site request forgery. It can also ward off other server-side exploits that are typically used to deliver malware through a vulnerable browser to the desktop, he said.

"Chrome's 'sandbox' concept is designed to prevent access to the host operating system to prevent the installation of the malware," Kandek added. "Chrome also uses Google's database of known malware sites to prevent and alert when a user accesses a site that has been flagged as hosting malware."

According to security pros, the "calculate-danger-on-site" nature of Chrome leverages Google's massive site-crawling capabilities to evaluate Web-site code for these vulnerabilities in an automated manner. That capacity gives users a quicker heads up than other browsers.

ESET Research Director Jeff Debrosse even posits that as the browser evolves, Google will add its own security bells and whistles to grow with user demand and frequency of use.

"There isn't any reason why Google would not implement their Safe-Browsing API [application program interface] within their own browser," he said. "It will be interesting though to watch how this turns out because it will be a testament to their belief in the effectiveness of their API. Basically, if Google eats their own dog food, it might not be that bad."

Google's security measures may become a concern at the enterprise as Chrome's use becomes more widespread, according to Jason Miller, security data team manager for St. Paul, Minn.-based Shavlik Technologies.

"At one time, many people would state that the only way to be safe surfing the Internet was to use a non-Microsoft product," Miller said. "As Firefox gained in popularity and usage, evil hackers found security vulnerabilities in the product and took advantage of them. The evil hackers, in most cases, will focus their efforts on a widely used product. This could be another product that administrators lose sleep over with newly discovered vulnerabilities."

Browser security issues include social engineering and anonymous and frequent changes to open source code. In this sense, the edge goes to Microsoft with its monitored and supported proprietary programs.

"With Internet browsers, the vulnerabilities that are found and exploited can be particularly nasty," Miller said. "Evil hackers could potentially create a Web site that exploits security flaws to take control of systems, and that's a condition that isn't going to change."


Apple fixes Safari ‘carpet bomb’ bug
Safari, Mac usage climbs online in May
Microsoft Warns on Safari ‘Carpet Bombing’ Flaw