Google Chrome vulnerabilities starting to pile up

Google Chrome vulnerabilities starting to pile up

Summary: [ UPDATE: See below for Google's official response to these issues ] Security vulnerabilities in the new Google Chrome browser are beginning to pile up.Following our coverage of the carpet bombing combo threat and denial-of-service crashes, several readers have sent pointers to Chrome exploit code floating around the Web:First up is an automatic file download bug found by researchers in the Ukraine.

SHARE:
TOPICS: Security, Browser, Google
120

Google Chrome vulnerabilities starting to pile up[ UPDATE: See below for Google's official response to these issues ]

Security vulnerabilities in the new Google Chrome browser are beginning to pile up.

Following our coverage of the carpet bombing combo threat and denial-of-service crashes, several readers have sent pointers to Chrome exploit code floating around the Web:

  • First up is an automatic file download bug found by researchers in the Ukraine.  The proof-of-concept exploits (there are three) drop an executable (hack.exe) in the default download directory without any intermediate warning.
  • Vietnamese research outfit SVRT-Bkis has published demo exploits for what is described as a critical buffer overflow that could lead to remote code execution attacks.  "The vulnerability is caused due to a boundary error when handling the "SaveAs" function. On saving a malicious page with an overly long title (<title> tag in HTML), the program causes a stack-based overflow and makes it possible for attackers to execute arbitrary code on users’ systems," the group said.  An attack scenario would require some form of social engineering.

Vulnerability researcher Robert 'RSnake' Hansen is very harsh in his response to Google's decision to build its own browser:

If you build a browser in isolation, you don't get the benefits and knowledge of the smart people who have come before you. Yes, Google's browser is open source, like Firefox. But even Firefox came from Netscape, which had tons of background in the browser world, and Mozilla, too, has learned from a mistake or two. It is easy to call into question Google's ability to build a safe browser given its rather poor track record in other areas of security. And no, you shouldn't download it -- not if you care about your security. So, like cryptography, you shouldn't build a browser unless you really, really know what you’re doing.

ModSecurity's Ivan Ristic has a different reaction to the news of Google Chrome security hiccups:

The whole point of having a public beta release is expose a product to a wide audience and deal with the discovered problems prior to a stable release. The existence of security issues in Chrome is in line with our current inability to develop software free from security issues. Thus, people should not be distracted by the small problems that are now discovered. We should be  looking at the big picture instead. Chrome is a browser that's been designed from the ground up with security in mind. That's bound to have a positive impact. We'll know more about the impact once the details of its architecture surface.

Ristic however called on Google to stop abusing the "beta" tag because it unacceptably blurs the line between beta and stable. "How else are users going to be able to judge what is acceptable for production use and what isn't?"

UPDATE:  Google's PR team e-mailed the following statement:

  • "We became aware of this vulnerability last night and began working on a fix immediately.  We expect to release the fix soon through an automated update to the browser, so users will not have to take any action to be protected.  As always, Google asks researchers to practice responsible disclosure, so potential vulnerabilities can be evaluated and fixed before they become public and before users are subjected to unnecessary risk.  Security bugs for Google Chrome can be filed at code.google.com/p/chromium."

Topics: Security, Browser, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

120 comments
Log in or register to join the discussion
  • Google Chrome vulnerabilities starting to pile up

    File this in the "No Surprise" category. The shoddy
    programming at Google which has been reflected on many
    of their applications and services should come as no
    surprise to anyone on Chrome. Google is trying to
    live off of its name instead of having a product that
    works but what they are quickly finding out is that
    customers can see right through them. If they took
    more time and care in designing a product that works
    instead of playing with office toys all day they
    wouldn't have such a bad reputation.
    Loverock Davidson
    • Rockhead's posts starting to pile up....

      File these stupid posts in the no surprise category.

      One, this is bets software. bugs are always going to be found in bets software. Compared to Microsoft, all Microsoft code should be labeled Alpha code.

      The only bad reputation around here is Microsoft and Rockhead.

      Case closed.
      linux for me
      • Yawn

        Typical, can't stand it when someone tells the truth
        about his mothership. Notice how all he did was
        insult and had no real point? That is why no one
        takes him seriously.
        Loverock Davidson
        • Re: Yawn

          Seriously, was your original comment any different?
          harrisharris
          • Yes

            Did you even read it?
            Loverock Davidson
          • ROTFLMAO!!!!!

            That was real good L.D.

            I haven't laughed so hard in awhile.

            Good to see you back in action, keep them coming,,,
            Intellihence
          • Message has been deleted.

            fairportfan
          • Message has been deleted.

            c00lways
          • Go Kick Rocks, Rockhead! ;)

            You L.D. are a spoiled sport! ...and obviously you didn't make the right investments 10yrs ago when Google came into being. Otherwise you'd be counting your returns on a very wise investment! ;)

            You make arrogant remarks about Google Products, ignoring the finnancial aspects of a large successful family of products and the fact that everything they touch they have bought and made even better! ....and YOU and the rest of you M$ bigoted losers can't stand that! (Steve "Monkey Boy" Balmer: "I'm going to f***ing kill Google"! Right.... note they are even close to dying. LOLz)

            Start with Google Search (which is the undisputed Champion of Search BTW), YouTube (nothing else even compares and it's only gotten better), Picasa (outstanding Web Based Application), and then keep adding them all up from there. You probably aren't aware that they OWN the World Wide Web Ad Business either! :D

            Yeah, when the company YOU support got bit for being a Monopoly, creates loser hardware like Xbox and Zune. Their Windblows Wista (I had Linux Flash n Dash) w/Compiz and OpenGL API is a...hum.. failing. Their Stock value has stagnant growth the last 5yrs (when the last time they doubled?). They can't even make their own competitive Search Engine and they're a software company (must try to buy Yahoo)! ....and now their Mobile OS is about to get killed by a new Android!!! hehe

            So I guess when a company like Google, that knows nothing but success in the face of diversity and competition, decides to make a Web Browser, it's only natural that Chichen ***s like you get scared and start spouting trash!!!

            Oh... Are you Ryan Naraine's (who only thinks he's a professional journalist) twin brother? ;) I wouldn't be making any investments or bets based on anything either of you two say!!! LOLz ....Losers!!!
            i2fun
      • Why Microsoft?

        Damn, that was the fastest ever. Once again, a story having NOTHING AT ALL TO DO WITH MICROSOFT brings on the Linux fanboys who can't get through an entire sentence without crying about Microsoft. Get over yourselves. People like that are why no one listens to the Linux lovers on sites like this.
        vermonter
        • How's Your Foot Taste? ;)

          Tell that to Microsoft! ...who BTW is making money off Linux right now!!!

          Tell that to the U.S. Goverment. Who uses Linux everywhere (even modified the Linux kernel). Heard of Secure Linux, written by N.S.A. (National Security Agency)?

          ***Do you know what an HPC (High Performance Computing) Cluster is? Linux Does, it OWNs HPC Cluster Market (Windows is for Beginners in this field)!

          ***Can you tell me how many Super Computers in the Top 100 use Windows anything? NONE!!! Do you by chance know that IBM's Cell BE Hybrid Blade Servers only use Linux?

          ***Do you just maybe know what OS the Cell Security onboard those Servers and Hybrid Government Mainframes is running on (including Los Alamos National Laboratory's Road Runner, which passed a Petaflop running on what?). What... speak up boy? Linux!!!

          That Security is said to be the only Security System the NSA calls an "Impenetrable Fortress"!

          Now... Then you have the nerve to even mention Linux and it's users like it's some low class BSOD'ing P.O.S. like your XP/Vista Windblows!!!

          Just remember, "The Future is Open" and another reason that makes that so, is that literally every hardware manufacturer with a decent product, is part of Khronos Group. Which BTW is in charge of the OpenGL Family of API's. The part of computing that links their own hardware to the Operating System! ....don't look now, but OpenGL is taking a C**p on DirectX and your Windows. On everything from Mobiles to Desktops and Game Consoles!!!

          Get a Life.....and a new OS! ;) Think Open and Free, as the whole world follows our own government's lead to Linux! :D Watch as the Androids march into history powered by Google!!!
          i2fun
          • No BSOD's here

            I have never had one with XP since I've been using it. The organizations who use linux also use custom made software for it (and only those few applications). The normal user has no such advantage and would not like the limitations and harder setup. Long live Windows and it's parent company,without whom none of the whiners would ever have been on line to begin with.
            dch48
    • So, how goes your job search?

      Just curious, given how bitter you are these past few years.
      B.O.F.H.
      • Message has been deleted.

        Loverock Davidson
        • Could you be any more immature?

          NT
          MGP2
          • Wrong reply?

            I'm guessing you meant that for him and not me.
            Loverock Davidson
          • You're wrong again.....

            It was meant for you for posting a reply with nothing but a couple hundred rows of
            <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

            Grow up, would ya?
            MGP2
          • Re: You're wrong again.....

            Brings back the "where are the moderators?" argument and thereby adds weight to the "Lovey is a fictional character thrown into the mix to garner controversy and hopefully increase hits" conspiracy theory. Still; on the upside we have Lovey to thank for the leaps & bounds in storage capacity over recent years and for obviating the quality of anything he/she/it opposes.
            rikasa
          • Probably not

            At least on the basis of the evidence.
            fairportfan
          • I can

            POOP is brown
            Duke E. Love