(September 3, 2008)
People have already begun to find vulnerabilities in the beta version
of Google Chrome, the company's new web browser. In one scenario
involving a flaw in the WebKit engine and another in Java, users could
be tricked into downloading executable files. In another scenario, the
browser could be crashed when users click on maliciously crafted links.
Proof-of-concept code has been posted for both vulnerabilities.
http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=210300297
http://www.scmagazineus.com/Google-Chrome-flaws-come-soon-after-browser-release/article/116251/
http://www.heise-online.co.uk/security/Google-Chrome-beta-comes-with-security-holes--/news/111458
[Editor's Note (Pescatore): Let's see: by my math, if you multiply the
security level of consumer-grade software times the security level of
beta code, you get a whole mess of vulnerabilities that will be easily
exploited. That said, I would love to see more competition in the
browser world drive browsers to simpler code bases with more focus on
security as the top feature, vs. trying to bundle in email clients and
all kinds of other stuff.
(Schultz): For a nice, unbiased view of Chrome security, visit
http://www.high-tower.com/blogs/bolcer/]

(September 8, 2008)
Google has released an update for Chrome less than a week after the
company's browser was introduced. Among the vulnerabilities found in
the Chrome beta was a buffer overflow flaw that could be exploited to
take control of vulnerable computers. Google Chrome 0.2.149.29 fixes a
problem that crashed the browser when a website's URL contained the
characters ".%;" a problem with JavaScript on Facebook; and an
unspecified number of security vulnerabilities, but does not provide
specific information about which vulnerabilities have been mitigated.
At least one flaw disclosed last week a blended threat known as a
"carpet bomb" was not fixed in the update. Chrome will check for
available updates every few hours and download them automatically as
they become available.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&a rticleId=9114287&source=rss_topic17
http://news.cnet.com/8301-1009_3-10035004-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
[Editor's Note (Pescatore): Consumer grade software times beta software
= many vulnerabilities. That said, more browser competition, especially
towards reducing browser bloat and increasing security as a top of mind
feature, is badly needed.
(Skoudis): The lack of specificity in the number or nature of
vulnerabilities fixed by this update leaves me very ill at ease.
Without such information, it will be hard to compare this browser's
security history against its competitors over time. It's almost like
they want to keep their users, and the industry more generally, in the
dark about what they're up to and their security flaws. Imagine that!]