Saturday, September 06, 2008

Not so Chrome.

from the SANS Institute newsletter (NewsBites).

--Chrome Gets Some Dents
(September 3, 2008)
People have already begun to find vulnerabilities in the beta version of Google Chrome, the company's new web browser. In one scenario involving a flaw in the WebKit engine and another in Java, users could be tricked into downloading executable files. In another scenario, the browser could be crashed when users click on maliciously crafted links.

Proof-of-concept code has been posted for both vulnerabilities.
http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=210300297
http://www.scmagazineus.com/Google-Chrome-flaws-come-soon-after-browser-release/article/116251/
http://www.heise-online.co.uk/security/Google-Chrome-beta-comes-with-security-holes--/news/111458

[Editor's Note (Pescatore): Let's see: by my math, if you multiply the security level of consumer-grade software times the security level of beta code, you get a whole mess of vulnerabilities that will be easily exploited. That said, I would love to see more competition in the browser world drive browsers to simpler code bases with more focus on security as the top feature, vs. trying to bundle in email clients and all kinds of other stuff.

(Schultz): For a nice, unbiased view of Chrome security, visit http://www.high-tower.com/blogs/bolcer/

By the way Chrome's EULA still shows
"By submitting, posting or displaying the content you give Google (NSDQ: GOOG) a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display, and distribute any Content which you submit, post, or display on or through, the Services."

No comments: