Skip to content

Google Chrome beta comes with security holes

3-9-2008

Yeah Google is trying something New But wait it is far too new….. Please read on……..

With Google pushing a beta of their new browser Google Chrome on the front page of http://www.google.com, it wouldn’t be long before people started locating security problems. And first reports show that at least two problems are present, and that it isn’t ready for production systems.

Randy Abrams, director of Technical Education at ESET, claimed that as vulnerable code was used users should only use Chrome when they are not viewing sensitive pages.

He claimed that the oversight by Google is indicative of either a lack of attention to security in development, or a mandate to put something out there by a certain date without regard for quality from a security standpoint.

He said: “Google’s inattentiveness to security was one of the feature presentations at the Blackhat conference this year. Anyone who has followed Google with respect to security would not trust that Chrome will be safe to use for quite some time.

“Google is at about the same place Microsoft was a decade ago. They have some bright security people, but marketing is trampling over security right, left and centre. Like Microsoft, security inside of Google is only likely to have an appropriate voice when their lack of security starts to affect the bottom line.””

Read more of this article: http://www.scmagazineuk.com/Google-Chrome-criticised-over-lack-of-security/article/116485/

Security specialist Aviv Raff has a demonstration of one problem. When you visit the page, without prompting, a file is downloaded, and the user is encouraged to click on the download. The file is actually a Java jar file which in the demonstration does nothing more than launch a Java notepad applications, but of course could carry a malicious payload.

The vulnerability appears to use a vulnerability in Webkit, previously noted in Safari, called Carpet Bomb and a bug in Java. With the Safari Carpet Bomb, Safari downloaded DLL files to the desktop automatically, which were, for reasons unknown, automatically executed by Windows at startup. Apple has defused the Carpet Bomb in Safari 3.1.2, but Chrome uses an earlier branch of the Webkit renderer and still has the problem.

Another problem was found in Chrome’s protocol handling, as a demonstration page shows. The protocol handler name has a “special” character at the end of its name, and this character causes the handler to crash, taking down the browser. The failure appears to be down to the protocol handler not being isolated to a process in Chrome’s multi-process architecture.

Google Chrome Browser Vulnerability, Exploit by Rishi Naran

Thanks Peter for this …………….

Even worse that that… Have you guys read the EULA http://www.google.com/chrome/eula.html

Scroll down to section 11
QUOTE
11. Content license from you

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.

11.3 You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (cool.gif make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this license shall permit Google to take these actions.

11.4 You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above license.

END QUOTE

Yeah, I don’t think I want to give them the right to publicly display and distribute any Content which I submit, post or display on or through the browser.

Now re-consider is Google Browser really worth it??

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: