Comments for Serious Security Flaw in Google Chrome

Serious Security Flaw in Google Chrome

2008-09-03T04:47:28Z

Google Chrome has quickly become one of our favorite browsers here at RWW, but as Ryan Narraine, a security evangelist at Kaspersky Lab, reports, Chrome has also inherited a potentially serious security flaw from the old version of WebKit it is based on. An attacker could easily trick users into launching an executable Java file by combining a flaw in WebKit with a known Java bug and some smart social engineering.

Security expert Aviv Raff, who first discovered this flaw, set up a demo of the exploit here. (Note: This page will automatically download a Java file onto your desktop). You can safely click on the download, as it only opens up a notepad application written in Java.

]]> Carpet-Bombing

The problem here is that, after a user double-clicks the download at the bottom of the screen, this application is opened without any warning, which would allow a malicious hacker to easily execute any Java program on a user's machine.

Two facts make this exploit especially embarrassing for Google. First of all, Google stressed the security of Chrome in both the official announcement as well as in today's live video demo just before the launch.

Apple Already Did It

More importantly, as ZDNet reports, Apple already patched WebKit against this flaw when it released Safari 3.2.1 in July, though only after the flaw had been known already for more than two months. Google, however, is using an older version of WebKit as the basis for Chrome.

Social Engineering

Obviously, this exploit only works because of the social engineering behind it. Just like some pop-up ads trick users into clicking "OK" because the ad mimics a typical system message in Windows, this exploit would trick users who are not yet familiar with Chrome's interface into believing that the download is actually just part of the web page.

We assume that Google will patch this flaw a lot faster than Apple did, but this news definitely puts a bit of a damper on our enthusiasm for Chrome.

EDITOR'S UPDATE: we've been all over the Chrome story for the past few days, so here is a summary of our coverage so far:

- Video of Google Chrome Announcement
- Chrome: Test it With Us Live (check out Sarah Perez's screencast, with input from all the RWW team)
- Does Google Have Rights to Everything You Send Through Chrome? (great discussion happening in the comments of this one)
- Google to Offer its Own Browser: Chrome (our original post)

Comment from yuregininsesi on 2011-01-10

2011-01-10T23:49:30Z

Come on guys, it's still in beta so let's just give them a break and wait for the final build.
sesli chat sesli sohbet chat roulette omegle

Comment from chess tactics on 2008-09-30

2008-10-01T05:35:06Z

Ok, so google chrome has become one of the favorite browsers. But I still feel that mozilla and internet explorer is far more better than chrome.
Especially for the SEO's google chrome doesn't provide any help. Does it ?

Comment from Chromer on 2008-09-18

2008-09-18T23:00:24Z

Dont forget to visit http://chromeguru.info for Google Chrome Themes.

Over 60 themes added to the filebase.

Comment from Junaid on 2008-09-16

2008-09-17T03:47:43Z

I really like Chrome. It is extremely fast and really easy to work with. The main feature i did like is "Type in the address bar and get suggestions for both search and web pages."

Comment from Ari Rigopoulos on 2008-09-14

2008-09-15T02:00:08Z

Since I installed Chrome I have lost use of my page scroll.

Comment from Chris Lees on 2008-09-13

2008-09-14T03:46:46Z

Google should be criticised if this security issue exists with Chrome. They made the decision to use a piece of Apple software for an untrusted-web-facing service when Apple is known to take a lax position on security. I'm also criticising KDE and Gnome for also jumping on board the Webkit dinghy; KDE from the excellent KHTML and Gnome from Gecko.

However, the people saying that Apple was quicker to fix the problem than Google are only telling half the story. Apple introduced the security flaw and knew about it for two months before fixing it. Apple left a "passwords being sent in cleartext" bug in OS X Server for six months after it had been fixed upstream. There is also a local root exploit in desktop OS X, that only requires a single line of Applescript to trigger, that has been around for years and has not even been fixed in development versions of Snow Leopard.

In addition, the original iPhone shipped with an old version of Webkit that contained a similar flaw, when the Mac version of Safari had fixed it. This was a flaw that had been fixed in Internet Explorer 6 literally years beforehand, and we all know that it's rare for IE 6 to rightly claim security superiority :-P

I infinitely trust Google more with web software than Apple, but not if they use Apple code in it.

Comment from jan niehaus on 2008-09-13

2008-09-14T00:07:39Z

Help get chrome out of my life. When I log on instead of connecting to firefox I get warnings chrome was not signed & firefox cannot see server. thank you

Comment from شات on 2008-09-12

2008-09-12T18:10:19Z

Well

I tried it my self, yes there is a security problem. i think google will fix it soon.

thanx for info

Comment from hojjat on 2008-09-09

2008-09-10T01:40:41Z

only opera browser and nothing

Comment from SEO Blog on 2008-09-09

2008-09-09T18:18:42Z

Why did google announced it before finishing the software? Does anyone have opinion why did they released the beta directly to enduser?

Comment from mmanson on 2008-09-09

2008-09-09T16:35:08Z

chill down folks!

This "security flow" it have been already PATCHED. there is a new version 0.2.149.29

Well For apple took two month to fix his flaws.. for Google took about what...? two days ?

Comment from Glen LeBarr on 2008-09-08

2008-09-08T13:21:12Z

I downloaded the program and the very day it was released and I was exposed to a seriously nasty virus that totally hijacked my system. I don't know if it had anything to do with chrome or not, but after seemingly getting rid of it (or, so I thought) my computer has had numerous problems and I can't get Firefox or IE to work properly. Firefox won't even start and IE opens but when I do search on Google all the links in my search result open to totally unrelated sites. I believe the virus is called XP something or another. It's also caused my computer to freeze up whenever I do just about any function. I've tried numerous ways to get rid of this pest and just when I think I'm in the clear something else starts to go wrong. Like I said, I've never had a problem like this before when using IE or Firefox and I don't know if Chrome has allowed an unknown security flaw to screw up my computer or not. I hope not because otherwise I've been very impressed with this new browser, especially it's speed.

Comment from John Patton on 2008-09-07

2008-09-07T21:44:21Z

I just found a new security hole while im surfing the web, which causes Google Chrome stack-based buffer overflow. check it :

http://www.computersake.com/2008/09/google-chrome-save-as-function-buffer-overflow-vulnerability/

Comment from jIMMAY on 2008-09-07

2008-09-07T14:45:57Z

this is not a serious security flaw in chrome. and if you are so worried just scan files downloaded with DragonScanner: http://www.dragonscanner.com

Comment from Andrew Heenan on 2008-09-06

2008-09-06T12:27:06Z

"Protect yourself - don't install Java."
"Protect yourself - don't use Javascript"
"Protect yourself - don't use cache"
"Protect yourself - don't install Chrome"

Hey, why not go the whole hog? Turn off your computer and go live in a cave. So it ain't perfect? What is?

Live in total fear and total safety - or live a little, take a few minor risks, and get the benefit.

This 'flaw' requires not only the use of Chrome - but also a 'newbie level' of carelessness.

It need not be serious, it will be fixed, no need to knot the underwear.

Comment from Lightman on 2008-09-06

2008-09-06T08:00:17Z

People. There are two ways to counteract this "flaw".

1. As always, be smart about your browsing.

2. Go into your settings and disable auto-download (I did it as soon as I got the browser).

This may have been posted already, but I CBA to read everything :)

Comment from selin kare on 2008-09-05

2008-09-06T01:07:34Z

i think, Google will change again face of internet :)

Comment from zorex on 2008-09-05

2008-09-05T09:35:58Z

I did report this using the feedback form. Auto download is very dangerous.

However, you can temporary overcome this prob in Chrome. Go to "Option > Minor Tweaks" and check the box "Ask where to save each file before downloading" under the "Download location" section. Like this, every time when you are downloading files (automated or you click on it), there will be a dialog box asking you where to save the file. You can click cancel if you found out the file is weird.

Comment from Google on 2008-09-04

2008-09-05T06:10:29Z

For moment Google Chrome is beta so in this case is normal to have bugs

Comment from Filip on 2008-09-04

2008-09-05T04:33:13Z

Hey i've been using chrome for a day now and there's something that bothers me. Let's say when I want to download a word document it doesn't give me an option to open it, i can just save it and then manually open it. Can you change this somewhere in the options, cause i can't find it.

Comment from kameko on 2008-09-04

2008-09-04T20:04:53Z

who cares if its still in 'beta'? gmail has been in BETA for years. that doesn't excuse anything.

Comment from Erol on 2008-09-04

2008-09-04T17:24:47Z

That's a pretty nasty flaw, but it's not as serious compared to the GDI+ vulnerability a few years ago.

Comment from David Chudleigh on 2008-09-04

2008-09-04T14:27:40Z

I think the loser here will be Opera's market share. Firefox and Chrome are distinct enough but Opera and Chrome appear more familiar and Opear does not have the plug-ins quality Firefox and eventualy Google can bring.

Comment from Wogan May on 2008-09-04

2008-09-04T10:57:48Z

Sweet - I got a free notepad app...

Comment from Michael on 2008-09-04

2008-09-04T10:45:07Z

Can someone say beta?

Comment from truthsayerlol on 2008-09-04

2008-09-04T08:19:04Z

ahhh another angry macfag getting pissy over new software
guess theve never been in a world where software isnt child-proof, these "security flaws" are not security flaws if you know what you are doing when using the program,
a) its in beta,
heres a tip for you type into google - define:beta
b) ffs its been released for all of what? a frakking day!
well if you arnt a bunch of pissy whining want-it now nubs
ITS OPEN SOURCE - dont like it? fix it yourself!
if you cant, then learn, dont rip into anotherwise exceptional piece of new software that is going against the big leagues of IE and Mozilla, (Safari is not a good browser as much as you wish it is, it really is not).

and as a final point, lookup what a security flaw is, plenty of info on that for IE and Safari, then google define:dumbass and youll find a picture of yourself for not being able to tell the difference between what someone else is doing right and your doing wrong

tata

Comment from Kamal Mettananda on 2008-09-03

2008-09-04T06:40:27Z

Another reason not to switch to Chrome from Firefox too early.

But for sure, they fix this much sooner.

Comment from mark on 2008-09-03

2008-09-04T04:38:48Z

It's only beta.

Comment from bcarter on 2008-09-03

2008-09-04T02:54:54Z

Who gives a sh*t.

Comment from sEwer on 2008-09-03

2008-09-04T01:38:46Z

It's not a security flaw, IMHO. It just the fact, that Chrome is for smart people, it doesn't need to be idiot-proof. Don't double-click the damn file if You don't know what it is. If You wan't someone to ask You if You know what You're doing, go buy a Vista System.

Comment from Anon on 2008-09-03

2008-09-04T00:38:06Z

i tried the demo and Vista actually managed to help for once in its miserable existence. It comes up with the "allow or cancel" something i opened. For once Vista did something right. well thats not saying much at all is it?

Comment from Captain Obvious on 2008-09-03

2008-09-04T00:12:49Z

Posting "security bugs" for beta software is kinda lame from an esthetic perspective, but tempting because it get's you in the news without real effort ...

Comment from Groucho Marx on 2008-09-03

2008-09-03T23:05:35Z

I have always learned that bread and butter tastes better than butter and bread....

Google claims to only employ the best of the best but it took a 9 to 5 journalist less than a few hours to find vulnerabilities in the Chrome product. Well it only gets to show you that Groucho was right after all...you never know who is blessed with common sense or not.

Comment from Question on 2008-09-03

2008-09-03T23:03:39Z

Somebody please kindly respond to this question:

Above, somebody said Chrome is self-updating. Does this mean it updates its versions automatically on the fly, behind the scenes, without prompting the user?

Comment from Sotek on 2008-09-03

2008-09-03T22:49:03Z

Come on guys, it's still in beta so let's just give them a break and wait for the final build.

Comment from jonny on 2008-09-03

2008-09-03T22:18:26Z

I can't scroll down in Google Chrome God DAMMIT! Will someone please fix it!

Comment from noname on 2008-09-03

2008-09-03T21:37:27Z

Remember, google chrome IS still in beta.

(posted via g. chrome)

Comment from Saint Germain on 2008-09-03

2008-09-03T21:23:54Z

I like google chrome, its very fast, but i will keep my firefox ;-)

Comment from Ryan Svoboda on 2008-09-03

2008-09-03T21:13:20Z

I haven't seen anyone else mention it so far, but I wrote up a quick post complaining about a small security flaw with Chrome; there is no way to set a master password for your saved login information.

Duff's Device: Google Chrome overlooks one small security flaw

I did notice earlier today that while I was browsing Facebook, Chrome automatically downloaded the file us-120other.html twice. Not sure what it is or why it was downloaded.

Looking into it I see (curlys to simulate html brackets):

{script 
type="text/javascript" src="http://Ads1.msn.com/library/dap.js" }
{/script}
{script 
type="text/javascript"}
dap('&PG=FBK600&AP=1113', 120, 600);
{/script}
{img src="http://ads.ak.facebook.com/ads/creative/1x1/msn/us-120other.gif" height="1" width="1" border="0"}

Side note: http://Ads1.msn.com/ redirects to http://advertising.microsoft.com/home/home

Comment from Mark on 2008-09-03

2008-09-03T21:03:33Z

It doesn't download anything. It brings up a window asking me to download something. Just cancel it. I don't see a security flaw at all.

Pretty soon people are going to think opening a web page is a flaw.

Comment from SSTRM on 2008-09-03

2008-09-03T20:58:44Z

Pobody's Nerfect. Also Chrome its still in beta. Nothing else to see here.

Comment from Bob Foster on 2008-09-03

2008-09-03T20:39:25Z

What's the big deal? The page downloads a file. If you open the file you get the usual dialog warning you are about to run an executable file. If you're stupid enough to run it, you deserve what you get instead of your "Free Coupwn".

Comment from Jish Denson on 2008-09-03

2008-09-03T20:38:53Z

I guess with any new release there is ALWAYS going to be bugs. Comes with the territory. I have been playing with Chrome all day and so far still think Firefox 3 is the better browser. IMHO

Jish
www.privacy.mx.tc

Comment from No Prompt on 2008-09-03

2008-09-03T20:09:07Z

The exploit does not require any user interaction what so ever, but it does not execute this file. It would take a really retarded user to execute a file that just appeared one day. And as other have said, it's a beta release, I would like to see how many exploits are found when Chrome goes GOLD.

http://www.milw0rm.com/exploits/6355

Comment from harry on 2008-09-03

2008-09-03T20:05:00Z

I really like chrome but im leaving for abit as to many reports of problems at the moment

Comment from ToastyMallows on 2008-09-03

2008-09-03T20:01:28Z

It's the beta version and it's open-source, why not suggest that this be fixed or fix it yourself?

Comment from emerson on 2008-09-03

2008-09-03T19:59:18Z

This isnt a security flaw at all, no more than any other "executable" file that a user can be made to launch.

If a user is stupid enough to click the download button in Chrome, they will surely be stupid enough to just double click the "executable" in their downloads folder too.

Its exactly the same as opening an email attachment. I dont see how it has anything to do with Chrome at all, unless your suggesting Chrome should block running programs that have been downloaded ? - Thats just denial of responsibility though, not security.

On my system it does nothing, becuase the choice of what to do with an "executable" file is up to Windows, and i have the ".jar" extension registered to an archive program, since jars are just zip files anyway.

Comment from Sergiv Brin on 2008-09-03

2008-09-03T19:54:34Z

damper, fags.

Comment from dg on 2008-09-03

2008-09-03T19:19:33Z

I would not call this a security flaw. The user must perform an action, clicking on a button, before any malicious activity can take place.

I configure my browsers to "Always ask where to save a downloaded file". Thus in my case I get the save as dialog before any download actually occurs.

It actually took me a moment to even see what the big deal was, then I remembered that by default the file is just saved to your desktop.

Is this a usability issue? YES. Google will need to add prompts and/or make it obvious that the download bar is not part of the window.

Comment from graeme on 2008-09-03

2008-09-03T18:54:34Z

@all those getting the hump cos of a minor flaw in a free beta product:

1. if you're not prepared to take the risk then don't install it (it's not compulsory), and let those of us who do like it get on and enjoy it in peace.

2. it is open source. if you don't like it, patch it yourself.

Comment from please.... on 2008-09-03

2008-09-03T18:47:43Z

This is not a 'serious' flaw, a serious flaw requires nothing but a page load to work. For this flaw to work a person needs to open an executable file from their chrome downloads bar!

Comment from F. Andy Seidl on 2008-09-03

2008-09-03T17:24:21Z

The interesting questions to me are not if Chrome (beta) is ready for prime time (it is not) or which established browser will suffer most (they all will.) What I find more interesting is that it appears to have all the trappings of a disruptive technology hiding in plain sight.

I wrote more about this idea here:

Google Chrome: Disruptive Technology
http://faseidl.com/public/blog/212172

Comment from Matt on 2008-09-03

2008-09-03T15:07:26Z

Those of you claiming it's ok because it's a beta should really watch that argument when defending Google. I agree, the product just came out, and they'll need a little bit to get a patch out.

But don't forget, lots of Google's products and services stay in "Beta" forever. They can't continue to hide under that. Google has effectively made "Beta" into "release/stable" for themselves. They don't really deserve any extra slack because of the Beta label like an independent developer might. They need to properly use the term if they want the slack from users it should provide.

Comment from Jordan Hofker on 2008-09-03

2008-09-03T14:57:18Z

Protect yourself - don't install Java.

Comment from NickC321 on 2008-09-03

2008-09-03T14:49:25Z

I guess this is one of those few times I should be happy that an app isn't available for Mac or Linux yet....

Comment from JulesLt on 2008-09-03

2008-09-03T12:05:48Z

>Google has used a vulnerable version of webkit 4 months after this vulnerability is >discovered.

In a BETA piece of software. As in unfinished, use at your own risk, not ready for the primetime.

Comment from Carlos Alonso on 2008-09-03

2008-09-03T10:43:57Z

No, Google will not patch this bug faster than Apple. Apple already patched it (although it took them 2 months to do it), and Google don't. Google has used a vulnerable version of webkit 4 months after this vulnerability is discovered. Great!

Comment from The wedding on 2008-09-03

2008-09-03T07:46:07Z

A new services of google ?

Comment from Wolf on 2008-09-03

2008-09-03T07:12:15Z

Look, they needed to get a browser out of the door. Patching webkit up to the latest version is probably not as easy as it sounds. I'm sure they're pretty much aware that if they're using an older build of Webkit, all the security issues that have been discovered during when they took the build and now are real.

Comment from abacab on 2008-09-02

2008-09-03T06:38:35Z

I seriously don't imagine Google not saying -something- each time, given people will always be watching and willing to bust their chops over even the tiniest little flaw or issue that arises. I wonder, though, if announcements will have people looking for downloads or update links to click on when none exist...

Comment from Steven Hodson on 2008-09-02

2008-09-03T06:16:34Z

abacab I just wonder how vocal they are going to be about any updates made .. will they just slide them in place without any fanfare or will we be told about them

Comment from abacab on 2008-09-02

2008-09-03T06:13:57Z

What almost makes this a non-issue is that Chrome's entirely self-updating, self-healing (barring nontrivial disabling of the software, lack of Internet connection, etc). You won't have to do anything. And... you know Google can and will patch (stuff like) this hella faster than Apple does (or did, this particular WebKit flaw instance).

Comment from Chris Baskind on 2008-09-02

2008-09-03T06:06:51Z

Sweetchrome or Sweetcrap?

Comment from Steven Hodson on 2008-09-02

2008-09-03T06:06:05Z

Bad Sarah - back to dungeon with you :)

Comment from Charlie Anzman on 2008-09-02

2008-09-03T06:00:22Z

Sure, you had to go and ruin the party :)

Comment from PC on 2008-09-02

2008-09-03T05:53:52Z

First flaw..
may be there are many more coz its just a beta version..

These will be corrected in the final version I guess..

Comment from Nag on 2008-09-02

2008-09-03T05:43:50Z

This is kind of the First Security flaw on Chrome i guess.

Good and nice post

Cheers, Nag