RSSHow dangerous are the first Google Chrome vulnerabilities?
By Scott M. Fulton, III | Published September 8, 2008, 12:36 PM
A pair of security holes whose proofs-of-concept were validated by BetaNews show that Google Chrome may not have been as thoroughly inspected as Google would have us believe. But isn't finding bugs and holes what beta testing is all about?
A beta test is not a product debut, at least not by definition. So the discovery of the first few serious security vulnerabilities in Google's Chrome shouldn't, in and of themselves, raise alarm bells. However, one may rationally wonder why a project that was in the works for at least two years, if not four, wasn't able to find these same security holes long before the independent researchers did.
Last week, we learned that a variant of the same security vulnerability that afflicted Apple's Safari for Windows two months ago also impacts the first Chrome beta. Although Webkit is the rendering engine for both products, architecturally speaking, this problem actually has nothing to do with rendering, but rather about how downloads are presented and handled.
Security researcher Aviv Raff has become particularly adept at spotting cross-site scripting vulnerabilities, and similar problems where one component is triggered to pass control to another component without appropriate controls in place. Last week's discovery is a classic Raff feat of juggling.
With Chrome, whenever a file is downloaded from a Web page, a control appears along the bottom left of a fresh status bar. It's part of Chrome, not the Web page, but many novice users may not know this. If the file is executable -- for instance, an .EXE file -- Windows Explorer will take note that you're trying to execute something downloaded from the Web. So here, Chrome is actually relying on the security mechanism Microsoft has already put in place.
But Microsoft's security mechanism doesn't extend to Java downloads, instead leaving that responsibility to Sun. So when the user downloads a .JAR file -- or rather, something that pretends to be a Java .JAR file, by virtue of the file extension -- Chrome's downloads bar executes it automatically. A software-based firewall such as ZoneAlarm can stop automatic execution, but without one of those, Chrome executes whatever was downloaded.
In BetaNews tests this morning with Chrome version 0.2.129.27, Raff's proof-of-concept placed a fake "free coupwns" download button at the bottom of Chrome's status bar. When we clicked on that, Java launched a Notepad application without any kind of warning or check to see whether the downloaded application had permission to launch code. In theory, it could have launched any code.
As anyone who uses a Google Toolbar with IE or Firefox already knows, Google's memory-resident automatic update application is particularly aggressive. In our tests, we've noted it can check for updates from five different sets of IP addresses as often as every half-hour. Chrome uses the same update application, according to our firewalls which, once the Toolbar updater is cleared for Internet access, enables Chrome's update as well.
This morning, Google distributed build 0.2.129.29, and some sources had been reporting that this build would include a fix to this problem. In BetaNews tests, the Raff security hole remained -- .JAR files are still executed without warnings or permission checks.
Raff suspects the Webkit rendering engine as contributing to the problem, though on his personal blog last week, also casts suspicion on the fact that patches of Chrome's source code appear to have been taken from a handful of open source projects (with attribution, of course), including Firefox. Perhaps some degree of security is lost in all the patching together; but another problem Raff suggests is that borrowing so many ideas from others may mean Google will leave it to those other sources to fix their problems first, before it fixes its own.
"They'll have to track all security vulnerabilities in those features, and fix them in Chrome too," Raff wrote. "This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported."
Some other peculiarities we noted in our tests: Chrome's downloaded files bar doesn't appear to have any way to delete reference to a download that may have been accidental. You can open the thing, or you can tell Chrome you always want it to open files of the same type (which you'd think would be the problem in the first place), but you can't get rid of it until you get rid of the tab. Now, each tab has its own download bar; which means, if you've downloaded files from several sites during the same session, they won't all appear together along the bottom. This is apparently because all plug-ins and processes in Chrome are attributable to the tab, not to the browser; in other words, each tab is a separate process, and everything it triggers can't be shared by another tab. In this particular case, we can see where that could become a headache.
We also noticed, though, that when you click on the Show all downloads link in the lower right corner of the downloads bar, Chrome pulls up a separate page listing links to everything you've downloaded from all sites. Well, now you have a new and separate tab to think about. But when you click on the .JAR file in this page, now there's a safeguard that prevents the file from running unchecked -- a safeguard that did not appear in the downloads bar itself.
Subsequent to Raff's discovery last week, Vietnamese security research firm Bach Khoa (BKIS) uncovered a different Chrome problem, though not affecting files with .JAR extensions specifically. In its proof of concept, an attempt to save the contents of a page whose default name is way longer than 256 characters, can trigger code within that page to run unchecked.
BKIS said that, in systems running Windows XP Professional, Chrome could be triggered by its proof of concept to run Calculator, although it could have run any code. In BetaNews tests with build 0.2.149.27 on XP Pro SP3, we noted less destructive behavior: Chrome crashed, but it didn't run any unchecked code. After we upgraded to version 0.2.149.29, however, the browser behaved properly, giving us a default filename that was way too long, but then prohibiting us from saving the page under that name without shortening it first.
LULZ ZOMG
Score: 0
|MOAR PLOX
Score: 0
|Sounds like a bit of social engineering to catch "n00bs". What would bug me is the adoption of this browser at all (for personal related activities), in the terms of it's Beta status and security issues.
Rather wait for the final release, or (troll warning) use Firefox?
Score: 0
|I'm a bit confused. This article makes it seem like the file is automatically downloaded and EXCECUTED, but the example makes it seem that you have to click the downloaded file on the download status bar? So which is it? I don't know about you, but if something downloads on my download bar that I didn't request, I'm not opening it.
Score: 0
|Auto-download, no execute.
Score: 0
|When the user clicks on an auto-downloaded .jar file. It will auto-execute without warning or asking for permission.
Score: 0
|since I installed Chrome I have TWO GoogleUpdate.exes running until I close them in task manager (I had one before).
Score: 0
|I haven't run chrome for a while and I just now noticed it is running .29. Guess it is being updated in the background.
Score: 0
|all in all those of us beta testing a brand new browser and dont have a software firewall lol? But really id imagine that would be a very slim amount.
Score: 0
|I think that you are all wrong and that simply, I am right in saying that this imperfect version of this ludicrous experiment of google's attempt at a a new kind of browser
Score: 0
|What makes this an "expriment at a new kind of browser"? Isn't this basically a stripped down, less tested copy of IE8 which is also in beta?
Score: 0
|No?
It's built on Webkit.
It's the first browser using the V8 javascript engine.
It's a far cry from IE8, which at this point is actually far more functional...
Score: 0
|How dangerous?
'Not very' if you're not using it...
Score: 0
|Chrome is first gen. IE is more then 7th gen.. you do the math.
The funny thing is Make-it-work is pushing Safari to customers on windows machines.
Nothing is prefect or EVER will be perfect. but basic downloads like this one is a problem for sure..
Score: 0
|Scott, how many of those "at least two years, if not four" was it a 20% project by *one* software goon?
Without that information, any statements such as that are meaningless.
all plug-ins and processes in Chrome are attributable to the tab, not to the browser; in other words, each tab is a separate process, and everything it triggers can't be shared by another tab.
This needs to change. Downloads should be passed to a separate process that can handle them all, provide history, management, and hopefully even thread-management (multi-chunk downloads).
Score: 0
|Could not agree more about the downloads being handled by a separate process.
Score: 0
|If you've been following the story (and I thought you had), you'll recall that Google clearly stated during its beta launch that it was working on Chrome for two solid years, although some of its key product managers were hired four years ago...for this very project.
Context.
-SF3
Score: 0
|Doesn't answer the question *at all*.
Google clearly stated during its beta launch that it was working on Chrome for two solid years
One Google employee is still "Google working on it".
Did those managers do nothing prior to this project? Have you actually spoken to any of them?
Get defensive if you want to. Fine by me, I was merely stating the obvious.
Score: 0
|It's BETA. I guess everyone forgot what BETA means.
Score: 0
|Exactly what I was thinking.
Or course, Google does like to use the beta tag for everything as an excuse for when things go wrong (Gmail anyone?).
Score: 0
|Yeah, look at Gmail it's been in BETA for like 4 years or more now.
Score: 0
|"This morning, Google distributed build 0.2.129.29,"
It's 0.2.149.29, and it wasn't this morning.
Also: It's a bit worrying that it doesn't ask me whether to save the file that's being sent or not.
It automatically downloads any files being sent without asking.
That's not on.
Score: 0
|Read EULA I am sure you authorized to allow it to do that when you Agreed to download it, or if it is a hotfix it will install regardless since #1 CYA for google, and #2 if it fixes a security hole then you would want it installed before hand. =P
Score: 0
|That's the other thing. I wasn't presented with a EULA when initially installing.
Or even a 'Are you sure you want to install this' box.
Score: 0
|