If at first you don't succeed; call it version 1.0
Wednesday, September 03, 2008

In real life, when you take two species, a horse and a donkey, and mix them up you get a mule. In the browsers world, when you take a horse (Firefox/IE) and a donkey (Safari) and mix them up, you get – Google Chrome.
The new browser from Google tries to get the best from other browsers, but instead (well, at least in the current beta version), it seems to be doing quite the opposite.

The current beta uses an old version of WebKit - 525.13 - which is actually the same WebKit engine used by the old Safari v3.1. The current Safari version is v3.1.2, which fixed several critical issues, including the “blended threat” Carpet Bombing vulnerability. Google even mention that they use Safari v3.1 rendering engine in their own documentation (Thanks Yonatan Grabber for the information!)

On the other hand, Chrome borrowed (and modified) local resource files from the Mozilla project. And also, for some reason, in some cases there is an ActiveX plug-in loaded by Chrome, which might be an evidence of a capability of this browser to execute ActiveX controls.

mozchrome

I really wonder why Google have taken several features from other browsers and mixed them all together. Security wise, it’s very problematic.
They’ll have to track all security vulnerabilities in those features, and fix them in Chrome too. This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported. It will put Chrome users at risk for a long time.

Back to the WebKit issue. I’ve created a proof-of-concept which demonstrates the automatic download vulnerability that was already fixed by Apple. This PoC will automatically download a JAR file and place it in the the downloads folder (there are reports that in some cases it will download it to the Desktop, as in Safari. In those cases, the Safari-Pwns-IE exploit can be easily converted to Chrome-Pwns-IE exploit).

Unfortunately, whenever Google Chrome downloads a file, it creates a download bar at the bottom of the page, which seems, for the untrained eye, as part of the page. The downloaded filename is displayed as a button, and the one click on this button will execute the file. If the file is an executable (e.g. .EXE, .BAT, etc.), Windows Explorer will show a warning that this file was downloaded from the Internet. In this case, Google Chrome does a good job by setting the Zone.Identifier in the alternative data stream.

coupwns

However, as was mentioned by pdp at his great Black Hat talk this August, when Windows Explorer will try to execute a JAR file, it will automatically run the associated application, which in most cases is the JRE (Java Runtime Environment). JRE will not check the Zone.Identifier in the alternative data stream, and will execute the JAR file with no warning. JAR file, of-course, should be treated as any other executable file. This is again a sort of a "blended threat". Two small issues in different products, when blended together create a much larger problem.

 

In conclusion, Chrome seems to be a very nice and slick browser, but it is far from being secured as it is advertised by Google. It borrows several insecure features from other browsers, and it has its own security design flaws.

Wednesday, September 03, 2008 7:24:45 PM UTC | Comments [7] | Security#
Thursday, September 04, 2008 4:52:52 AM UTC
The security they tout is in their architecture. The security issues you describe are important, but they do not appear to discredit the architecture features Google has brought to the table with Chrome.

Additionally, it is important to keep in mind that Google does and will continue to test their browser. As they find security issues in shared components, the solutions can be incorporated into both Chrome and the upstream component. This has the potential for a symbiotic relationship that can improve all involved.
Rusty Burchfield
Thursday, September 04, 2008 6:09:29 AM UTC
Nice assessment of the Google Chrome browser. A number of us were asking ourselves similar questions today though from a business perspective - why would Google enter the browser market? And if there were sound business reasons, would it have made more sense to simply partner with Mozilla (Firefox)? Google seems to have an edge when it comes to 3rd party apps such as the Google Toolbar. It is surprising they would take this leap into the browser itself.

And per your point, now they have to deal with security patches covering numerous browsers and add-on packages. It is another drain on Google resources which may not pay any dividends in the end. Unless of course they decide to have their browser access to Yahoo, AOL, MSN, etc. Of course one hopes they never go that route.
www.MBridge.com
Thursday, September 04, 2008 8:15:42 AM UTC
Unfortunately, whenever Google Chrome downloads a file, it creates a download bar at the bottom of the page, which seems, for the untrained eye, as part of the page.

This bug is depends of Chrome's configuration.
In mine case - Chrome asked where to save the file.

--
Alexander "Angelius" Filippov Technological Deep
Thursday, September 04, 2008 11:22:11 AM UTC
Cheers!

Keep up the good work ;)
Thursday, September 04, 2008 6:10:20 PM UTC
Solved!

http://www.sandeisacher.net/index.php/2008/09/04/google-chrome-bug-carpet-bombing-risolto-da-sandeisacher/
Thursday, September 04, 2008 7:57:12 PM UTC
@Alexander: Yeah, that is true, BUT by default that option comes deactivated, you and I are IT people, what about the people that wanted to try out the new shiny google product?

If they wanted to prevent this carpet-bombing the option should be activated by default, but then again, if you tick the box off you can get your computer bombed.

Right now I'm writing this comment on the very same Chrome, it is a nice and slick browser, it has it's flaws, but I see a great future for it, depends on us to make it better and reporting this kind of bugs.

Monday, September 08, 2008 3:32:33 AM UTC
wow !
nice article, raff. And thank you for the problem solver for a while, franco. :). Have you report it raff ?
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.