Just off the Lot, Chrome Suffers Its First Dent

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Web security -- what can be done to stop bad code before it does bad things -- is a vital topic.


One side of the story is creating applications secure enough that they can't easily be tampered with. I wrote about that last week.


The bookend is making browsers that can identify and resist bad code. Initially, users -- at least IT Business Edge's Ken-Hardin -- and security insiders seemed reasonably satisfied with the Chrome browser, which was introduced by Google this week.


eWeek says that it offers blacklisting of known malicious sites and an "Incognito" mode that hides browser identities and deletes cookies at a session's end. Chrome also sandboxes the rendering engine. This means that bad code accepted by the browser theoretically has no way of infecting the rest of the machine. The general tenor of the piece is that Google has roughly equaled Firefox, Internet Explorer and other browsers.


But, like bloggers researching Sarah Palin, it doesn't take experts long to find bad news. A number of sites, including IT Business Edge are reporting that Chrome is vulnerable to a carpet bombing flaw, which could give the attacker control of the machine. The piece says the source of the vulnerability is a combination of problems in Apple Safari Webkit and Java. Apple took care of the problem in Safari v3.1.2, the story says, but Chrome is based on an older version of the software. The coverage suggests that fixing this flaw won't be difficult, but the fact that it is there at all is not a good sign.


This ZDNet posting provides interesting insight into the evolution of browser security. Chrome, the post says, mimes operating systems that structurally separate processes in an effort to keep the crashing of one from bringing down the others. Many browsers operate as a single process in which other -- presumably less effective -- methods are used to keep applications from butting heads. Chrome's approach, the writer says, is a necessary step in the move of applications from the desktop to the cloud. The one unclear bit of the post is whether the writer suggests that Chrome is the only browser built in this manner.


Browser security can be upgraded after release, of course. Indeed, Firefox became a bit more secure late last month. Carnegie Mellon's School of Computer Science and College of Engineering made available a free add-on to Firefox 3.0 that protects against the well-publicized Domain Name System flaw and digital certificate issues that sporadically occur.


The add-on, named Perspectives, is used with certificates offered by VeriSign, Comodo and Go Daddy. The idea is to reduce the risk of man-in-the-middle attacks, the story says.