File this in the "No Surprise" category. The shoddy
programming at Google which has been reflected on many
of their applications and services should come as no
surprise to anyone on Chrome. Google is trying to
live off of its name instead of having a product that
works but what they are quickly finding out is that
customers can see right through them. If they took
more time and care in designing a product that works
instead of playing with office toys all day they
wouldn't have such a bad reputation.
Zero Day
Ryan Naraine and Dancho DanchevGoogle Chrome vulnerabilities starting to pile up
Summary
[ UPDATE: See below for Google's official response to these issues ]
Security vulnerabilities in the new Google Chrome browser are beginning to pile up.
Following our coverage of the carpet bombing combo threat and denial-of-service crashes, several readers have sent pointers to Chrome exploit code floating around the Web:
First up is an automatic file download [...]
Topics
Blogger Info
Ryan Naraine
Biography
Ryan Naraine
Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.
Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.
Dancho Danchev
Biography
Dancho Danchev
[ UPDATE: See below for Google's official response to these issues ]
Security vulnerabilities in the new Google Chrome browser are beginning to pile up.
Following our coverage of the carpet bombing combo threat and denial-of-service crashes, several readers have sent pointers to Chrome exploit code floating around the Web:
- First up is an automatic file download bug found by researchers in the Ukraine. The proof-of-concept exploits (there are three) drop an executable (hack.exe) in the default download directory without any intermediate warning.
- Vietnamese research outfit SVRT-Bkis has published demo exploits for what is described as a critical buffer overflow that could lead to remote code execution attacks. “The vulnerability is caused due to a boundary error when handling the “SaveAs” function. On saving a malicious page with an overly long title (<title> tag in HTML), the program causes a stack-based overflow and makes it possible for attackers to execute arbitrary code on users’ systems,” the group said. An attack scenario would require some form of social engineering.
Vulnerability researcher Robert ‘RSnake’ Hansen is very harsh in his response to Google’s decision to build its own browser:
If you build a browser in isolation, you don’t get the benefits and knowledge of the smart people who have come before you. Yes, Google’s browser is open source, like Firefox. But even Firefox came from Netscape, which had tons of background in the browser world, and Mozilla, too, has learned from a mistake or two. It is easy to call into question Google’s ability to build a safe browser given its rather poor track record in other areas of security. And no, you shouldn’t download it — not if you care about your security. So, like cryptography, you shouldn’t build a browser unless you really, really know what you’re doing.
ModSecurity’s Ivan Ristic has a different reaction to the news of Google Chrome security hiccups:
The whole point of having a public beta release is expose a product to a wide audience and deal with the discovered problems prior to a stable release. The existence of security issues in Chrome is in line with our current inability to develop software free from security issues. Thus, people should not be distracted by the small problems that are now discovered. We should be looking at the big picture instead. Chrome is a browser that’s been designed from the ground up with security in mind. That’s bound to have a positive impact. We’ll know more about the impact once the details of its architecture surface.
Ristic however called on Google to stop abusing the “beta” tag because it unacceptably blurs the line between beta and stable. “How else are users going to be able to judge what is acceptable for production use and what isn’t?”
UPDATE: Google’s PR team e-mailed the following statement:
- “We became aware of this vulnerability last night and began working on a fix immediately. We expect to release the fix soon through an automated update to the browser, so users will not have to take any action to be protected. As always, Google asks researchers to practice responsible disclosure, so potential vulnerabilities can be evaluated and fixed before they become public and before users are subjected to unnecessary risk. Security bugs for Google Chrome can be filed at code.google.com/p/chromium.“
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.
Disclosure
Ryan Naraine
The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.
Biography
Ryan Naraine
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.
Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.
Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.
More from “Zero Day”
Related Discussions on TechRepublic
Did you know you can take part in these discussions with your ZDNet membership?Talkback Most Recent of 119 Talkback(s)
-
Loverock Davidson09/05/2008 09:54 AM -
Rockhead's posts starting to pile up....
File these stupid posts in the no surprise category.
One, this is bets software. bugs are always going to be found in bets software. Compared to Microsoft, all Microsoft code should be labeled Alpha code.
The only bad reputation around here is Microsoft and Rockhead.
Case closed.
linux for me09/05/2008 11:26 AM -
Yawn
Typical, can't stand it when someone tells the truth
about his mothership. Notice how all he did was
insult and had no real point? That is why no one
takes him seriously.Loverock Davidson09/05/2008 01:12 PM -
Re: Yawn
Seriously, was your original comment any different?
harrisharris09/05/2008 01:29 PM -
Yes
Did you even read it?Loverock Davidson09/05/2008 01:50 PM -
ROTFLMAO!!!!!
That was real good L.D.
I haven't laughed so hard in awhile.
Good to see you back in action, keep them coming,,,
Intellihence09/06/2008 11:55 AM -
fairportfan(Edited: 09/09/2008 09:01 AM) -
c00lways@...(Edited: 09/09/2008 09:00 AM) -
Go Kick Rocks, Rockhead!
You L.D. are a spoiled sport! ...and obviously you didn't make the right investments 10yrs ago when Google came into being. Otherwise you'd be counting your returns on a very wise investment!
You make arrogant remarks about Google Products, ignoring the finnancial aspects of a large successful family of products and the fact that everything they touch they have bought and made even better! ....and YOU and the rest of you M$ bigoted losers can't stand that! (Steve "Monkey Boy" Balmer: "I'm going to f***ing kill Google"! Right.... note they are even close to dying. LOLz)
Start with Google Search (which is the undisputed Champion of Search BTW), YouTube (nothing else even compares and it's only gotten better), Picasa (outstanding Web Based Application), and then keep adding them all up from there. You probably aren't aware that they OWN the World Wide Web Ad Business either!
Yeah, when the company YOU support got bit for being a Monopoly, creates loser hardware like Xbox and Zune. Their Windblows Wista (I had Linux Flash n Dash) w/Compiz and OpenGL API is a...hum.. failing. Their Stock value has stagnant growth the last 5yrs (when the last time they doubled?). They can't even make their own competitive Search Engine and they're a software company (must try to buy Yahoo)! ....and now their Mobile OS is about to get killed by a new Android!!! hehe
So I guess when a company like Google, that knows nothing but success in the face of diversity and competition, decides to make a Web Browser, it's only natural that Chichen ***s like you get scared and start spouting trash!!!
Oh... Are you Ryan Naraine's (who only thinks he's a professional journalist) twin brother? I wouldn't be making any investments or bets based on anything either of you two say!!! LOLz ....Losers!!! 
i2fun@...09/08/2008 10:18 PM -
Why Microsoft?
Damn, that was the fastest ever. Once again, a story having NOTHING AT ALL TO DO WITH MICROSOFT brings on the Linux fanboys who can't get through an entire sentence without crying about Microsoft. Get over yourselves. People like that are why no one listens to the Linux lovers on sites like this.
vermonter09/08/2008 04:36 AM -
How's Your Foot Taste?
Tell that to Microsoft! ...who BTW is making money off Linux right now!!!
Tell that to the U.S. Goverment. Who uses Linux everywhere (even modified the Linux kernel). Heard of Secure Linux, written by N.S.A. (National Security Agency)?
***Do you know what an HPC (High Performance Computing) Cluster is? Linux Does, it OWNs HPC Cluster Market (Windows is for Beginners in this field)!
***Can you tell me how many Super Computers in the Top 100 use Windows anything? NONE!!! Do you by chance know that IBM's Cell BE Hybrid Blade Servers only use Linux?
***Do you just maybe know what OS the Cell Security onboard those Servers and Hybrid Government Mainframes is running on (including Los Alamos National Laboratory's Road Runner, which passed a Petaflop running on what?). What... speak up boy? Linux!!!
That Security is said to be the only Security System the NSA calls an "Impenetrable Fortress"!
Now... Then you have the nerve to even mention Linux and it's users like it's some low class BSOD'ing P.O.S. like your XP/Vista Windblows!!!
Just remember, "The Future is Open" and another reason that makes that so, is that literally every hardware manufacturer with a decent product, is part of Khronos Group. Which BTW is in charge of the OpenGL Family of API's. The part of computing that links their own hardware to the Operating System! ....don't look now, but OpenGL is taking a C**p on DirectX and your Windows. On everything from Mobiles to Desktops and Game Consoles!!!
Get a Life.....and a new OS! Think Open and Free, as the whole world follows our own government's lead to Linux! Watch as the Androids march into history powered by Google!!! i2fun@...09/08/2008 11:09 PM -
No BSOD's here
I have never had one with XP since I've been using it. The organizations who use linux also use custom made software for it (and only those few applications). The normal user has no such advantage and would not like the limitations and harder setup. Long live Windows and it's parent company,without whom none of the whiners would ever have been on line to begin with.
dch4809/09/2008 11:05 PM -
So, how goes your job search?
Just curious, given how bitter you are these past few years.
B.O.F.H.09/05/2008 12:17 PM -
Loverock Davidson(Edited: 09/08/2008 08:42 AM)
-
MGP209/05/2008 01:49 PM
Talkback - Tell Us What You Think
Get it the way you want it
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Blog Roll
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- A Developer's View
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Five Nines: The Next Gen Datacenter
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- India IT
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Blog Archive
White Papers, Webcasts, & Resources
- 10 Dying IT SkillsThere are some things in life, like good manners, which never go out of ... (Global Knowledge) Download Now
- Ten Things You Should Know about Windows 7There's a lot to Windows 7 - as one might expect, in a 17GB operating ... (Global Knowledge) Download Now
- WPA2 Security: Choosing the Right WLAN Authentication Method for Homes and EnterprisesAsk a hundred CIOs what three things about WLANs (wireless LANs) strike ... (Global Knowledge) Download Now
