Hackers steer clear of Google Chrome, say too challenging

Hackers steer clear of Google Chrome, say too challenging

Summary: At the CanSecWest security conference in Vancouver BC, hackers were invited to find and exploit holes in modern browsers. A popular target for hackers at this year's conference was Safari on a Mac -- definitely the lowest hanging fruit.

SHARE:
TOPICS: Browser, Google, Security
78

At the CanSecWest security conference in Vancouver BC, hackers were invited to find and exploit holes in modern browsers. A popular target for hackers at this year's conference was Safari on a Mac -- definitely the lowest hanging fruit.

Charlie Miller explains that it's not whether a product has holes (all of them do), its how easy it is to exploit those holes -- and on a Mac, it's very simple:

It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X.

He did mention, in his interview with Ryan Naraine, that Chrome was pretty much in another league. Their "sandbox" makes it extremely difficult to exploit -- not only do you need to find a problem, but you also have to figure out how to get out of their Sandbox (an environment that has no access to anything on the computer).

There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.

I might have this bug and I might be able to get code execution. But now you’r ein a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits. That raises the bar.

No hackers took on Chrome at the conference, simply because everything else was easier.

Topics: Browser, Google, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

78 comments
Log in or register to join the discussion
  • Chrome is good, but crashes most of the time

    Chrome is good, but crashes most of the time. It has to mature as a good browser soon. For now I dont prefer chrome for any banking, payment sites.

    Cheers,
    Kathiravan Manoharan
    http://kathyravan.blogspot.com
    http://paisamechanic.blogspot.com
    kmzdnetone
    • Not my experience thus far

      So far Chrome is my favorite browser. Firefox
      on one machine crashes the moment some sort of
      flash animation is loaded. Not to mention
      Firefox is so slow! IE7 is faster than Firefox
      to load and render pages.

      Granted there are sites that do a browser check
      first, and tell me to bugger off, but overall
      Chrome has been nothing but fantastic. If it
      does crash, only that tab is lost, and that has
      happened only once in two months.


      unredeemed
      • i switched

        An FF user, I tried Chrome and now it is my
        main browser. Fast, sober, secure - no crash at
        all on Vista64. I still use FF for its plugins
        when testing web pages and keep IE7 and Safari
        for checking rendering.
        tekWatcher
        • Makes me laugh!!

          Use the browsers that have the worst acid test results to test rendering. Opera 10 my friend. Back to Chrome I found it works nice has some nice features but is lacking many others. Knowing how Google develop massive amounts of products I am sure they will have an amazing browser over the next few years maybe then I will change from Opera, I moved from Netscape (after the sale) to Firefox and then to Opera after Firefox security nightmares and patches taking nearly 9 month. I still have all of them on my browser and keep them all up to date just in-case one browser makes a giant leap forward. Again if you want to make sure your sites work then use Opera 10 and Dragonfly you are then making the web community fully compliant and most of all your not using IE the PC killer. Take care of you and yours.
          Horus418
          • Further...

            I was just thinking IE is to browsing like Paint is to Photoshop CS4. Take care all.
            Horus418
          • Re: Makes me laugh

            He said he uses Safari to test rendering. Safari 4.0 gets a 100% score on Acid3 so why not use it?
            toml_12953
          • For his purposes it doesn't matter what the Acid3 score is.

            To him this is a business, not a game.

            He needs his web sites to work with whatever browser the potential client shows up with or those people may not be back and that is money down the drain.
            deowll
      • Your Firefox install is FUBARed

        If IE7 is faster than Firefox on your PC then you have some major installation problems with Firefox.
        mikefarinha
        • IE7, FF3, IE8

          What's been funny is watching IE8 betas distributed - already slower than FF3. That should have been a warning sign to MS.

          MS has finally given in to another release which is more conforming to standards (they have always enjoyed adding "features" which are extra-standard, but choosing to overlook others.

          One of the things MS has - which hobbles their features -and- performance, is how deeply they want to integrate into Windows. Too little, and they end up with enough bloatware which will show up on diagnostics.

          It's why they need to do when NT came out: create a new code base and start over. You can't fool me by saying they haven't learned anything in that time span.
          Mihi Nomen Est
          • You don't read do you?

            They've already addressed what you're making assumptions about rather verbosely. Google is your friend.

            Also, please find some new buzzwords, the old ones are beyond cliche.
            Spiritusindomit
          • IE8 Faster than FF3.0 not 3.1

            at least that's been my experience. FF3.0 has been a miserable experience on my machines, I went back to 2 until they stopped supporting it, and now I use 3.1 which totally rocks.
            tech_walker
      • Same Here

        I found it fast and stable. I have crashed it but not easily or often.

        It is a little less "friendly" than IE, but I'd rather use Chrome than FF. I'm hoping for a stable Mac release for my notebook.
        crypt2121
    • No crashing in Chrome

      While I've come across some sites with pages that don't work in Chrome, I've had less [i]crashing[/i] out of it than I get from IE. And, as advertised, when it does crash, it is just that tab, not the whole thing, as IE does.
      brent.hawthorne1
    • Not mine.

      Been using Chrome almost exclusively for the
      last 2 months. Not a single crash. Not one.

      I can't say that about many other Windows
      applications.
      JohnMcGrew
    • You may want to give this a try...

      (Provided your program is not corrupted and you
      periodically run chkdsk to check for disk
      errors)

      1. Right-click your desktop and create a text
      file called:

      "Chrome High Priority.bat"

      (Make sure you have your hidden file extensions
      turned off, or the batch file won't work.)

      Right click the batch file, select "Edit".

      Type in the following characters, substituting
      your profile directory where indicated by
      "********"

      start /High /separate C:\"Documents and
      Settings"\********\"Local Settings"\"Application
      Data"\Google\Chrome\Application\chrome.exe

      This will start Chrome in separate memory and
      with high priority (2 steps higher than current)

      The Priority levels for your computer Highest to
      Lowest are:

      REALTIME
      HIGH
      ABOVENORMAL
      NORMAL
      BELOWNORMAL
      LOW

      Using REALTIME runs the program without a shell
      (as fast as your keyboard and mouse). If the
      application crashes in REALTIME, you will have
      to reboot the entire computer (like Win98 used
      to do). But, it is the fastest and if it works
      without crashing, Chrome will be like lightning.
      I can use REALTIME without any problems and it
      is very, very fast.

      Joe.Smetona
      • High Priority

        Could I use this for other programs too like Real Player ?and how would i word it for real player if i could. Thanks
        sejeff1
        • Yup, you can use it to start any program.

          Actually some defrag programs should run in
          "low" priority if you want to do work and not
          have the computer run slower.

          The easiest way to determine the path is to
          right click the program icon or shortcut name in
          the start menu, then select the properties tab.

          Then, just copy/paste the "target" value into
          the batch file after: start /separate /high

          Remember to remove the outside quotes:
          "C:\quotes\quotes\quotes.exe" will be
          c:\quotes\quotes\quotes.exe

          But, add quotes in only the segments that have
          spaces, so:

          c:\program files\there is a space\prog.exe

          will become:

          c:\"program files"\"there is a space"\prog.exe

          Also, some targets don't list the complete path
          (like Internet Explorer). So for IE (XP) use:

          c:\"program files"\"Internet Explorer"\
          iexplore.exe

          If you have a lot of programs running at
          realtime or high priority, it still works really
          well, because the programs are jumping ahead of
          the low, belownormal, normal, and abovenormal
          background and system programs and processes.

          Try to avoid the "REALTIME" priority if you are
          using a CAD program or database/spreadsheet
          application. Since it does not have a shell, it
          brings down the entire computer if it crashes
          and may have a greater chance of corrupting your
          data. Also, avoid using it for Windows Explorer,
          since some file management operations may be
          adversely effected if it crashes. It may also
          cause corruption on USB flash drives. (My
          theory). It's great for browsing and most other
          applications.

          I hope this helps.

          Linux seems to run comparably well to the MS
          high priority settings with no adjustment.
          Joe.Smetona
        • Here's the information for Real Player Gold 11

          start /separate /high C:\"Program Files"\
          Real\RealPlayer\realplay.exe
          Joe.Smetona
    • Agree Chrome often crashes

      I agree with kmzdnetone's comment exactly, I
      can't use Chrome on most payment sites as it
      doesn't work, and neither does the beta.

      I use it as my main browser but its odd how
      people defend it and say it works - mine
      regularly crashes with flash, chews up 60%+ of
      CPU time, and doesn't work on many sites.

      I often cut and paste the URL to IE and do
      things I have to there, like payments, and then
      switch back to Chrome. Why do I persist, I
      don't know but I have everything grouped around
      Google services not MSN.
      walteradamson
    • Chrome Crash

      It never has unlike Windows 8
      hhguy