September 5th, 2008

Google Chrome vulnerabilities starting to pile up

Posted by Ryan Naraine @ 9:33 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Firefox, Google, Java, Malware, Pen testing, Research, Vulnerability research, Web 2.0

Tags: Google Inc., Vulnerability, Web Browser, Google Chrome, ModSecurity, Web Browsers, Security, Internet, Ryan Naraine

[ UPDATE: See below for Google's official response to these issues ]

Security vulnerabilities in the new Google Chrome browser are beginning to pile up.

Following our coverage of the carpet bombing combo threat and denial-of-service crashes, several readers have sent pointers to Chrome exploit code floating around the Web:

• First up is an automatic file download bug found by researchers in the Ukraine.  The proof-of-concept exploits (there are three) drop an executable (hack.exe) in the default download directory without any intermediate warning.
• Vietnamese research outfit SVRT-Bkis has published demo exploits for what is described as a critical buffer overflow that could lead to remote code execution attacks.  “The vulnerability is caused due to a boundary error when handling the “SaveAs” function. On saving a malicious page with an overly long title (<title> tag in HTML), the program causes a stack-based overflow and makes it possible for attackers to execute arbitrary code on users’ systems,” the group said.  An attack scenario would require some form of social engineering.

Vulnerability researcher Robert ‘RSnake’ Hansen is very harsh in his response to Google’s decision to build its own browser:

If you build a browser in isolation, you don’t get the benefits and knowledge of the smart people who have come before you. Yes, Google’s browser is open source, like Firefox. But even Firefox came from Netscape, which had tons of background in the browser world, and Mozilla, too, has learned from a mistake or two. It is easy to call into question Google’s ability to build a safe browser given its rather poor track record in other areas of security. And no, you shouldn’t download it — not if you care about your security. So, like cryptography, you shouldn’t build a browser unless you really, really know what you’re doing.

ModSecurity’s Ivan Ristic has a different reaction to the news of Google Chrome security hiccups:

The whole point of having a public beta release is expose a product to a wide audience and deal with the discovered problems prior to a stable release. The existence of security issues in Chrome is in line with our current inability to develop software free from security issues. Thus, people should not be distracted by the small problems that are now discovered. We should be  looking at the big picture instead. Chrome is a browser that’s been designed from the ground up with security in mind. That’s bound to have a positive impact. We’ll know more about the impact once the details of its architecture surface.

Ristic however called on Google to stop abusing the “beta” tag because it unacceptably blurs the line between beta and stable. “How else are users going to be able to judge what is acceptable for production use and what isn’t?”

UPDATE:  Google’s PR team e-mailed the following statement:

• “We became aware of this vulnerability last night and began working on a fix immediately.  We expect to release the fix soon through an automated update to the browser, so users will not have to take any action to be protected.  As always, Google asks researchers to practice responsible disclosure, so potential vulnerabilities can be evaluated and fixed before they become public and before users are subjected to unnecessary risk.  Security bugs for Google Chrome can be filed at code.google.com/p/chromium.“