Google Chrome has quickly become one of our favorite browsers here at RWW, but as Ryan Narraine, a security evangelist at Kaspersky Lab, reports, Chrome has also inherited a potentially serious security flaw from the old version of WebKit it is based on. An attacker could easily trick users into launching an executable Java file by combining a flaw in WebKit with a known Java bug and some smart social engineering.
Security expert Aviv Raff, who first discovered this flaw, set up a demo of the exploit here. (Note: This page will automatically download a Java file onto your desktop). You can safely click on the download, as it only opens up a notepad application written in Java.
The problem here is that, after a user double-clicks the download at the bottom of the screen, this application is opened without any warning, which would allow a malicious hacker to easily execute any Java program on a user's machine.
Two facts make this exploit especially embarrassing for Google. First of all, Google stressed the security of Chrome in both the official announcement as well as in today's live video demo just before the launch.
More importantly, as ZDNet reports, Apple already patched WebKit against this flaw when it released Safari 3.2.1 in July, though only after the flaw had been known already for more than two months. Google, however, is using an older version of WebKit as the basis for Chrome.
Obviously, this exploit only works because of the social engineering behind it. Just like some pop-up ads trick users into clicking "OK" because the ad mimics a typical system message in Windows, this exploit would trick users who are not yet familiar with Chrome's interface into believing that the download is actually just part of the web page.
We assume that Google will patch this flaw a lot faster than Apple did, but this news definitely puts a bit of a damper on our enthusiasm for Chrome.
EDITOR'S UPDATE: we've been all over the Chrome story for the past few days, so here is a summary of our coverage so far:
- Video of Google Chrome Announcement
- Chrome: Test it With Us Live (check out Sarah Perez's screencast, with input from all the RWW team)
- Does Google Have Rights to Everything You Send Through Chrome? (great discussion happening in the comments of this one)
- Google to Offer its Own Browser: Chrome (our original post)
TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/4802
Comments
Subscribe to comments for this post OR Subscribe to comments for all Read/WriteWeb posts
This is kind of the First Security flaw on Chrome i guess.
Good and nice post
Cheers, Nag
Posted by: Nag | September 2, 2008 10:43 PM
First flaw..
may be there are many more coz its just a beta version..
These will be corrected in the final version I guess..
Posted by: PC | September 2, 2008 10:53 PM
Sure, you had to go and ruin the party :)
Posted by: Charlie Anzman
|
September 2, 2008 11:00 PM
Bad Sarah - back to dungeon with you :)
Posted by: Steven Hodson
|
September 2, 2008 11:06 PM
Sweetchrome or Sweetcrap?
Posted by: Chris Baskind
|
September 2, 2008 11:06 PM
What almost makes this a non-issue is that Chrome's entirely self-updating, self-healing (barring nontrivial disabling of the software, lack of Internet connection, etc). You won't have to do anything. And... you know Google can and will patch (stuff like) this hella faster than Apple does (or did, this particular WebKit flaw instance).
Posted by: abacab
|
September 2, 2008 11:13 PM
abacab I just wonder how vocal they are going to be about any updates made .. will they just slide them in place without any fanfare or will we be told about them
Posted by: Steven Hodson
|
September 2, 2008 11:16 PM
I seriously don't imagine Google not saying -something- each time, given people will always be watching and willing to bust their chops over even the tiniest little flaw or issue that arises. I wonder, though, if announcements will have people looking for downloads or update links to click on when none exist...
Posted by: abacab
|
September 2, 2008 11:38 PM
Look, they needed to get a browser out of the door. Patching webkit up to the latest version is probably not as easy as it sounds. I'm sure they're pretty much aware that if they're using an older build of Webkit, all the security issues that have been discovered during when they took the build and now are real.
Posted by: Wolf | September 3, 2008 12:12 AM
A new services of google ?
Posted by: The wedding | September 3, 2008 12:46 AM
No, Google will not patch this bug faster than Apple. Apple already patched it (although it took them 2 months to do it), and Google don't. Google has used a vulnerable version of webkit 4 months after this vulnerability is discovered. Great!
Posted by: Carlos Alonso | September 3, 2008 3:43 AM
>Google has used a vulnerable version of webkit 4 months after this vulnerability is >discovered.
In a BETA piece of software. As in unfinished, use at your own risk, not ready for the primetime.
Posted by: JulesLt | September 3, 2008 5:05 AM
I guess this is one of those few times I should be happy that an app isn't available for Mac or Linux yet....
Posted by: nick carrasco
|
September 3, 2008 7:49 AM
Protect yourself - don't install Java.
Posted by: Jordan Hofker
|
September 3, 2008 7:57 AM
Those of you claiming it's ok because it's a beta should really watch that argument when defending Google. I agree, the product just came out, and they'll need a little bit to get a patch out.
But don't forget, lots of Google's products and services stay in "Beta" forever. They can't continue to hide under that. Google has effectively made "Beta" into "release/stable" for themselves. They don't really deserve any extra slack because of the Beta label like an independent developer might. They need to properly use the term if they want the slack from users it should provide.
Posted by: Matt | September 3, 2008 8:07 AM
The interesting questions to me are not if Chrome (beta) is ready for prime time (it is not) or which established browser will suffer most (they all will.) What I find more interesting is that it appears to have all the trappings of a disruptive technology hiding in plain sight.
I wrote more about this idea here:
Google Chrome: Disruptive Technology
http://faseidl.com/public/blog/212172
Posted by: F. Andy Seidl | September 3, 2008 10:24 AM
This is not a 'serious' flaw, a serious flaw requires nothing but a page load to work. For this flaw to work a person needs to open an executable file from their chrome downloads bar!
Posted by: please.... | September 3, 2008 11:47 AM
@all those getting the hump cos of a minor flaw in a free beta product:
1. if you're not prepared to take the risk then don't install it (it's not compulsory), and let those of us who do like it get on and enjoy it in peace.
2. it is open source. if you don't like it, patch it yourself.
Posted by: graeme | September 3, 2008 11:54 AM
I would not call this a security flaw. The user must perform an action, clicking on a button, before any malicious activity can take place.
I configure my browsers to "Always ask where to save a downloaded file". Thus in my case I get the save as dialog before any download actually occurs.
It actually took me a moment to even see what the big deal was, then I remembered that by default the file is just saved to your desktop.
Is this a usability issue? YES. Google will need to add prompts and/or make it obvious that the download bar is not part of the window.
Posted by: dg | September 3, 2008 12:19 PM
damper, fags.
Posted by: Sergiv Brin | September 3, 2008 12:54 PM
This isnt a security flaw at all, no more than any other "executable" file that a user can be made to launch.
If a user is stupid enough to click the download button in Chrome, they will surely be stupid enough to just double click the "executable" in their downloads folder too.
Its exactly the same as opening an email attachment. I dont see how it has anything to do with Chrome at all, unless your suggesting Chrome should block running programs that have been downloaded ? - Thats just denial of responsibility though, not security.
On my system it does nothing, becuase the choice of what to do with an "executable" file is up to Windows, and i have the ".jar" extension registered to an archive program, since jars are just zip files anyway.
Posted by: emerson | September 3, 2008 12:59 PM
It's the beta version and it's open-source, why not suggest that this be fixed or fix it yourself?
Posted by: ToastyMallows | September 3, 2008 1:01 PM
I really like chrome but im leaving for abit as to many reports of problems at the moment
Posted by: harry | September 3, 2008 1:05 PM
The exploit does not require any user interaction what so ever, but it does not execute this file. It would take a really retarded user to execute a file that just appeared one day. And as other have said, it's a beta release, I would like to see how many exploits are found when Chrome goes GOLD.
http://www.milw0rm.com/exploits/6355
Posted by: No Prompt | September 3, 2008 1:09 PM
I guess with any new release there is ALWAYS going to be bugs. Comes with the territory. I have been playing with Chrome all day and so far still think Firefox 3 is the better browser. IMHO
Jish
www.privacy.mx.tc
Posted by: Jish Denson | September 3, 2008 1:38 PM
What's the big deal? The page downloads a file. If you open the file you get the usual dialog warning you are about to run an executable file. If you're stupid enough to run it, you deserve what you get instead of your "Free Coupwn".
Posted by: Bob Foster | September 3, 2008 1:39 PM
Pobody's Nerfect. Also Chrome its still in beta. Nothing else to see here.
Posted by: SSTRM | September 3, 2008 1:58 PM
It doesn't download anything. It brings up a window asking me to download something. Just cancel it. I don't see a security flaw at all.
Pretty soon people are going to think opening a web page is a flaw.
Posted by: Mark | September 3, 2008 2:03 PM
I haven't seen anyone else mention it so far, but I wrote up a quick post complaining about a small security flaw with Chrome; there is no way to set a master password for your saved login information.
Duff's Device: Google Chrome overlooks one small security flaw
I did notice earlier today that while I was browsing Facebook, Chrome automatically downloaded the file us-120other.html twice. Not sure what it is or why it was downloaded.
Looking into it I see (curlys to simulate html brackets):
{script type="text/javascript" src="http://Ads1.msn.com/library/dap.js" } {/script} {script type="text/javascript"} dap('&PG=FBK600&AP=1113', 120, 600); {/script} {img src="http://ads.ak.facebook.com/ads/creative/1x1/msn/us-120other.gif" height="1" width="1" border="0"}Side note: http://Ads1.msn.com/ redirects to http://advertising.microsoft.com/home/homePosted by: Ryan Svoboda | September 3, 2008 2:13 PM
I like google chrome, its very fast, but i will keep my firefox ;-)
Posted by: Saint Germain | September 3, 2008 2:23 PM
Remember, google chrome IS still in beta.
(posted via g. chrome)
Posted by: noname | September 3, 2008 2:37 PM
I can't scroll down in Google Chrome God DAMMIT! Will someone please fix it!
Posted by: jonny | September 3, 2008 3:18 PM
Come on guys, it's still in beta so let's just give them a break and wait for the final build.
Posted by: Sotek | September 3, 2008 3:49 PM
Somebody please kindly respond to this question:
Above, somebody said Chrome is self-updating. Does this mean it updates its versions automatically on the fly, behind the scenes, without prompting the user?
Posted by: Question | September 3, 2008 4:03 PM
I have always learned that bread and butter tastes better than butter and bread....
Google claims to only employ the best of the best but it took a 9 to 5 journalist less than a few hours to find vulnerabilities in the Chrome product. Well it only gets to show you that Groucho was right after all...you never know who is blessed with common sense or not.
Posted by: Groucho Marx | September 3, 2008 4:05 PM
Posting "security bugs" for beta software is kinda lame from an esthetic perspective, but tempting because it get's you in the news without real effort ...
Posted by: Captain Obvious | September 3, 2008 5:12 PM
i tried the demo and Vista actually managed to help for once in its miserable existence. It comes up with the "allow or cancel" something i opened. For once Vista did something right. well thats not saying much at all is it?
Posted by: Anon | September 3, 2008 5:38 PM
It's not a security flaw, IMHO. It just the fact, that Chrome is for smart people, it doesn't need to be idiot-proof. Don't double-click the damn file if You don't know what it is. If You wan't someone to ask You if You know what You're doing, go buy a Vista System.
Posted by: sEwer | September 3, 2008 6:38 PM
Who gives a sh*t.
Posted by: bcarter | September 3, 2008 7:54 PM
It's only beta.
Posted by: mark | September 3, 2008 9:38 PM
Another reason not to switch to Chrome from Firefox too early.
But for sure, they fix this much sooner.
Posted by: Kamal Mettananda | September 3, 2008 11:40 PM
ahhh another angry macfag getting pissy over new software
guess theve never been in a world where software isnt child-proof, these "security flaws" are not security flaws if you know what you are doing when using the program,
a) its in beta,
heres a tip for you type into google - define:beta
b) ffs its been released for all of what? a frakking day!
well if you arnt a bunch of pissy whining want-it now nubs
ITS OPEN SOURCE - dont like it? fix it yourself!
if you cant, then learn, dont rip into anotherwise exceptional piece of new software that is going against the big leagues of IE and Mozilla, (Safari is not a good browser as much as you wish it is, it really is not).
and as a final point, lookup what a security flaw is, plenty of info on that for IE and Safari, then google define:dumbass and youll find a picture of yourself for not being able to tell the difference between what someone else is doing right and your doing wrong
tata
Posted by: truthsayerlol | September 4, 2008 1:19 AM
Can someone say beta?
Posted by: Michael | September 4, 2008 3:45 AM
Sweet - I got a free notepad app...
Posted by: Wogan May | September 4, 2008 3:57 AM
I think the loser here will be Opera's market share. Firefox and Chrome are distinct enough but Opera and Chrome appear more familiar and Opear does not have the plug-ins quality Firefox and eventualy Google can bring.
Posted by: David Chudleigh | September 4, 2008 7:27 AM
That's a pretty nasty flaw, but it's not as serious compared to the GDI+ vulnerability a few years ago.
Posted by: Erol | September 4, 2008 10:24 AM
who cares if its still in 'beta'? gmail has been in BETA for years. that doesn't excuse anything.
Posted by: kameko | September 4, 2008 1:04 PM
Hey i've been using chrome for a day now and there's something that bothers me. Let's say when I want to download a word document it doesn't give me an option to open it, i can just save it and then manually open it. Can you change this somewhere in the options, cause i can't find it.
Posted by: Filip | September 4, 2008 9:33 PM
For moment Google Chrome is beta so in this case is normal to have bugs
Posted by: Google | September 4, 2008 11:10 PM
I did report this using the feedback form. Auto download is very dangerous.
However, you can temporary overcome this prob in Chrome. Go to "Option > Minor Tweaks" and check the box "Ask where to save each file before downloading" under the "Download location" section. Like this, every time when you are downloading files (automated or you click on it), there will be a dialog box asking you where to save the file. You can click cancel if you found out the file is weird.
Posted by: zorex | September 5, 2008 2:35 AM
1 2 Next