On GameSpot: The booths, babes, and toys of TGS 2009!
BNET Business Network:
BNET
TechRepublic
ZDNet

March 23rd, 2009

Hackers steer clear of Google Chrome, say too challenging

Posted by Garett Rogers @ 9:26 pm

Categories: Uncategorized

Tags: Google Inc., Google Chrome, Hacker, Sandbox, Charlie Miller, Hacking, Security, Garett Rogers

At the CanSecWest security conference in Vancouver BC, hackers were invited to find and exploit holes in modern browsers. A popular target for hackers at this year’s conference was Safari on a Mac — definitely the lowest hanging fruit.

Charlie Miller explains that it’s not whether a product has holes (all of them do), its how easy it is to exploit those holes — and on a Mac, it’s very simple:

It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X.

He did mention, in his interview with Ryan Naraine, that Chrome was pretty much in another league. Their “sandbox” makes it extremely difficult to exploit — not only do you need to find a problem, but you also have to figure out how to get out of their Sandbox (an environment that has no access to anything on the computer).

There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.

I might have this bug and I might be able to get code execution. But now you’r ein a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits. That raises the bar.

No hackers took on Chrome at the conference, simply because everything else was easier.

Garett RogersGarett Rogers Follow GarettRogers on Twitteris employed as a programmer for iQmetrix, which specializes in retail management software for the wireless industry. See his full profile and disclosure of his industry affiliations.


Email Garett Rogers

Subscribe to Googling Google via Email alerts or RSS.

  • Talkback
  • Most Recent of 78 Talkback(s)
Another clueless mac fan boy.
I guess you don't know this but Apple has Safari for the PC. There could easyly be more copies of Safari running on PCs than Macs even though it isn't very popular.... (Read the rest)
Posted by: deowll Posted on: 06/23/09 You are currently: a Guest | | Terms of Use
Chrome is good, but crashes most of the time  kmzdnetone | 03/23/09
Not my experience thus far  unredeemed | 03/23/09
i switched  tekWatcher | 03/24/09
Makes me laugh!!  Horus418 | 03/26/09
Further...  Horus418 | 03/26/09
Re: Makes me laugh  toml_12953 | 04/06/09
For his purposes it doesn't matter what the Acid3 score is.  deowll | 06/23/09
Your Firefox install is FUBARed  mikefarinha | 03/24/09
IE7, FF3, IE8  Mihi Nomen Est | 03/25/09
You don't read do you?  Spiritusindomit@... | 03/25/09
IE8 Faster than FF3.0 not 3.1  tech_walker | 03/25/09
Same Here  crypt2121 | 03/25/09
No crashing in Chrome  brent.hawthorne@... | 03/24/09
Not mine.  JohnMcGrew@... | 03/24/09
You may want to give this a try...  joe.smetona@... | 03/24/09
High Priority  sejeff@... | 03/25/09
Yup, you can use it to start any program.  joe.smetona@... | 03/26/09
Here's the information for Real Player Gold 11  joe.smetona@... | 03/26/09
Agree Chrome often crashes  walteradamson | 03/25/09
Chrome Crash  hhguy | 03/26/09
My copy of Windows 8 is a pain...  deowll | 06/23/09
RE: Hackers steer clear of Google Chrome, say too challenging  jestempies | 03/24/09
Eventually Chrome sandbox will fall  Mike Chaliy | 03/24/09
Actually, the sandboxes don't have anything in common  Lerianis | 03/24/09
Misconception about IE.  ye | 03/24/09
The problem that make IE "different" is...  kd5auq | 03/24/09
ActiveX runs with the same privileges as the browser.  ye | 03/24/09
AND  Spiritusindomit@... | 03/25/09
Question.  joe.smetona@... | 03/26/09
The below was true the last time I checked.  deowll | 06/23/09
Well that's not true  threedaysdwn | 03/24/09
RE: Hackers steer clear of Google Chrome, say too challenging  wayne62682 | 03/24/09
Way too soon to tell  ejhonda | 03/24/09
Chrome is much more robust  clixandru@... | 03/24/09
RE: Hackers steer clear of Google Chrome, say too challenging  jimmy-jam | 03/24/09
Gotta start somewhere  mikefarinha | 03/24/09
I am well aware  jimmy-jam | 03/24/09
Huh?  JohnMcGrew@... | 03/24/09
Stability is irrelavent  jimmy-jam | 03/24/09
Not a fan of pre text?  Dem0072 | 03/24/09
And exactly how many versions of IE, FF, & O did it take...  JohnMcGrew@... | 03/24/09
Re; and how many versions ...did it take  Col Mustard | 03/24/09
Not Swooning.... Spewing.. big chunks...  Reality Bites | 03/26/09
Why waste time . . .  brian ansorge | 03/25/09
all cbhrom,e needs is the google toolbar and adblock plus  Randalllind | 03/24/09
RE: Hackers steer clear of Google Chrome, say too challenging  ebradsher2@... | 03/24/09
Chrome is a great song by Montgomery Gentry  Aragorn_z | 03/25/09
Um...actually...  dakeynr | 03/25/09
RE: Hackers steer clear of Google Chrome, say too challenging  vandale | 03/25/09
Problem is websites that insist on active X etc.  clareJ | 03/25/09
RE: Hackers steer clear of Google Chrome, say too challenging  night-hunter | 03/25/09
I have been surfing since 1996...  loadedprick | 03/25/09
RE: Hackers steer clear of Google Chrome, say too challenging  Phantom.si | 03/25/09
Change a few words and repost ryan narraine's article  Spiritusindomit@... | 03/25/09
RE: Hackers steer clear of Google Chrome, say too challenging  billallyn@... | 03/25/09
I have to throw the BS flag on this one.  PaddyO | 03/25/09
Actually you're both wrong.  jhskim | 03/31/09
RE: Hackers steer clear of Google Chrome, say too challenging  elt10@... | 03/25/09
RE: Hackers steer clear of Google Chrome, say too challenging  veer01 | 03/25/09
FireFox won't remember passwords or login anymore  WebMonkey23 | 03/25/09
If you want your login info remembered  PaddyO | 03/25/09
Couple of thoughts  PaddyO | 03/25/09
I'm trying Chrome again  tech_walker | 03/25/09
RE: Hackers steer clear of Google Chrome, say too challenging  djseamus | 03/26/09
RE: Hackers steer clear of Google Chrome, say too challenging  Naelathe | 03/26/09
Google Chrome Shortfall on WRT54G Linksys Router  cyigitemmy | 03/26/09
Nice...we're back to security through obscurity  friedcow | 03/26/09
The theory of obscurity.  joe.smetona@... | 03/30/09
It said he needed two flaws.  deowll | 06/23/09
IE 8 final releasse not vulnerable to Cansec  tech_walker | 03/26/09
RE: Hackers steer clear of Google Chrome, say too challenging  Aragorn_z | 03/26/09
RE: Hackers steer clear of Google Chrome, say too challenging  BCupps | 03/27/09
RE: Hackers steer clear of Google Chrome, say too challenging  any1der@... | 03/28/09
RE: Hackers steer clear of Google Chrome, say too challenging  any1der@... | 03/28/09
Go New Safari  kkevilus | 03/30/09
Safari is a joke  guyonearth | 04/09/09
Another clueless mac fan boy.  deowll | 06/23/09
RE: Hackers steer clear of Google Chrome, say too challenging  deowll | 06/23/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads