Los Angeles (CA) – With Google’s Chrome browser barely a day old, people are already trying to find security holes.  One security researcher Aviv Raff says he’s found a vulnerability that allows hackers to run almost any executable on the victim’s computer – provided that they are dumb inexperienced enough  to click on a download link.  But despite this finding, Chrome’s security features, which include everything from sandboxing to an incognito browsing mode, seem to hold up well for a brand new browser.

In development for more than a year, the Chrome browser looks deceptively simple.  Upon starting, you’re presented with a fresh white page that’s pretty much devoid of borders and most of the extraneous buttons that you would see on a traditional browser.  But behind this seemingly simple front-end is complex security code that tries to block malware from executing and interacting with the main operating system.  This “sandbox” feature gives all browser processes just enough privilege to run inside of Chrome and Google hopes it will stop the majority of hacker attacks.

Ok so sandboxing applications isn’t anything new and most people have heard of JAVA applications running in a sandbox.  But programming can only get you so far and stupid users have been known to render even the most secure applications pretty much worthless.  Using a vulnerability that was showed off at this year’s Black Hat security conference, Aviv Raff has developed proof of concept code that forces Chrome to open up applications on the desktop.  You can run the code at this link, but don’t worry it doesn’t do anything too horrible as it just pops up a notepad window.

But before you shout OMG vulnerability!, notice what you had to do to get that window to open.  First you had to be tricked into browsing to the website (ok not really that hard to do) and then you had to click the download button in the bottom-left corner that shows an executable .JAR icon.  Hmmmm…. Not exactly a huge vulnerability for security conscious users, but perhaps a minor annoyance to regular folks – just hope the hacker doesn’t run anything more serious than Notepad.

After playing around with Chrome for a few hours, I’ve discovered that this browser has some great security features that far eclipses any “vulnerability” so far discovered.  New browser tabs inside of Chrome run are processed independently of others and if one tab crashes if doesn’t take the rest of the browser with it.  There’s also an incognito mode that lets you browse web pages without caching any information.

So don’t worry and give Chrome a try.  Yeah the browser is beta and yes there may be some undiscovered security vulnerabilities, but really can you say anything difference about Firefox and Internet Explorer?

First Day of Chrome

Sep 02, 2008 20:21     

I loaded chrom for giggle. It does seem a little faster but the set up needs some work. If you import links from IE or Mozilla, they don't show up until after you shutdown chrome completely. Then you have to drag each to the bookmarks bar. Also, when importing it does not keep your home page. You have to navigate to it first, then dig through the chrome options (the spanner in the corner) to select your home page AND have the home page icon display.

RealGomer report abuse vote down vote up Votes: +1

Link to Chrome...

Sep 02, 2008 20:29     

Should have included a link for those who already don't have it... http://www.google.com/chrome
Henrik Gustavsson report abuse vote down vote up Votes: +2

But it's based on apple...

Sep 02, 2008 21:38     

It's nice, and I like a lot of the things they are doing, threaded processes, sandboxing as much as possible. But at the core, it's Apple Webkit. Which I don't care how good it is. It's apple. It's not googles. Don't get me wrong, I don't mind them using other technology to jump into the pool. But it's apple. Chrome just took a big step backwards by using apple. They lost me as a user just for that fact.

Chrome Skeptik report abuse vote down vote up Votes: -22

using Chrome right now...

Sep 02, 2008 22:10     

First impressions: not bad, not bad at all. It's very very fast. And very simple too, taking a lot of the uneeded b.s. out of the interface giving you more net. So far it's worked with everything I've tried. Even the script laiden TG sites. ;)
Narg report abuse vote down vote up Votes: +4

@Chrome Skeptik

Sep 03, 2008 00:11     

So your entire argument against Chrome (which you admit you like parts of) is it specifically uses Apple software? And without saying why you dislike the Apple software (I'm guessing your answer is "because it's Apple", which is ridiculous). I'll probably continue using Firefox, but definitely see the value in Chrome. We all know IE development only continues when its market share is being eroded. While Mozilla is doing ok against MS for now, Google has the resources to keep the pressure on MS indefinitely.

Hank report abuse vote down vote up Votes: +1

ha...

Sep 03, 2008 07:45     

If if wasn't for stupid users, things like virus scan and spy wear would have gone out of fashion years ago. There is a reason spam works, it's call dumb people!!! Err... I mean inexperienced people.
Action Jackson report abuse vote down vote up Votes: -3

Not based on Apple

Sep 03, 2008 08:24     

According to another article that I read, it is not based on Apple. It has parts that might link it to Mozilla or Apple but the source code is non-propietary; written from scratch by Google.
TomLeeM/BigWarpGuy report abuse vote down vote up Votes: -1

No security issues?

Sep 03, 2008 09:53     

You mean how it installs into the unprotected user data space in Windows but doesn't install into the secured Program Files folder? The user data space is not locked down with proper permissions as the Program Files folder is, and it also goes against all installation conventions that date back to 1994! This is the same way that spyware programs will install into systems. Coincidence???!!
Waethorn report abuse vote down vote up Votes: +4

fast..in relative term.

Sep 03, 2008 10:31     

yea...it save you 10ms on load...then you read the TG daily page for 10 minutes before you click next... where is the saving?
yo report abuse vote down vote up Votes: +2

http://www.kogmedia.com

Sep 03, 2008 12:53     

should be interesting to see if Chrome works more efficiently than FireFox... if it's faster than Firefox, since isn't IE, then i'll use it
media kingdom report abuse vote down vote up Votes: +0

It has very big security hole !! Read it

Sep 04, 2008 16:18     

A webmaster can upload exe files to the user's system without their prompts if they are using google chrome. check this out http://www.computersake.com/20...rity-hole/
Brandon Miles report abuse vote down vote up Votes: +0

Chrome Runs outside of "Program Files" security

Sep 05, 2008 03:57     

Is it just me or is the fact that Chrome works outside of "Program Files" a HUGE security flaw? (Check my link to my blog) http://blog.noop.se/archive/2008/09/05/google-chrome-plays-outside-of-vista-security-zones.aspx Cheers, /Magnus
Magnus mårtensson report abuse vote down vote up Votes: +0