Fatma Bazargan’s blog


Google Chrome Vulnerability again, again and again…
September 9, 2008, 9:08 pm
Filed under: Security

 

In the world of security, the one problem that constantly hunts us like a nightmare is when programmers come up with applications and forget to integrate security into it. Yet another application as such was released couple of days back called Google Chrome it was so attractive to lure everyone and anyone to download and give it a try not until hours later when the Researcher Aviv Raff found it vulnerable and others followed.

 

If you have looked keenly into the source code of Google Chrome I’m sure by now you know that it uses the WebKit engine. Remember the vulnerability found in Safari v3.1 (Safari also used the source code from WebKit) known as the carpet-bombing flaw which then got rectified in the newer version of Apple Safari v3.1.2. Exactly, it seems Google used the vulnerable version of WebKit and deployed it into Chrome without doing some background checks on security issues that existed ever since.

 

Carpet-Bombing Flaw or the blended threat: a combination of different flaws one that was found in WebKit and the other is the Java Security Bug (the one discussed earlier this year at Black Hat by Petko); this is what happens any Windows user can be tricked into launching executable files right onto their desktop without user-interaction. The problem is what if the executable file is malicious!

 

That is not it; Google has also taken a feature from the Mozilla Project, where an ActiveX plug-in is loaded by Chrome, where it shows that the browser has capabilities to execute ActiveX controls.

 

You can read about other bugs that were also found in Chrome here. 

 

The actual problem resides when you borrow different codes from different open source browsers; then get into the hassle of being updated with the different flaws that has been reported and cross fingers for those which are not reported and yet you need to discover and rectify.

 

But the important question remains unanswered: why would Google enter the browser market? (hmmmm…)

 

All I can say.. Welcome Chrome! You are neat and sleek after all.  

 

-cheerz

  Bazargan

Advertisements

Leave a Comment so far
Leave a comment



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: