So it hasn't even been out 24 hours yet but Chrome is, as predicted, getting scrutinized heavily and well . . . it's falling down at a pretty alarming rate (as say compared to say - IE8 beta 2 which has been out longer :))
So yesterday Aviv Raff discovered that Chrome is vulnerable to the Safari carpet bomb issue as reported here: http://blogs.zdnet.com/security/?p=1843. This is actually a download and execute / remote code execution bug which is about as bad as it gets! I verified that the PoC downloads a .JAR file to my IE downloads folder and then attempts to execute it (I got a file open dialog since I don't have Java installed).
Then this morning we have a new, more interesting (IMHO) crash that was posted here: http://evilfingers.com/advisory/google_chrome_poc.php
So, I slapped WinDBG on both processes to see what's going on - and I visited the PoC site from my Vista++ machine and this is what I observed in the debugger attached to the medium IL kernel process:
[...]
Why is this crash interesting? Because it crashes the medium IL 'kernel' process and not the low IL 'sandbox / rendering engine' process (though that process does exit when the parent process dies)!! Why is that interesting? Because it points to protocol handler abuse as a potential way to bypass the protection measures of the low IL rendering engine sandboxes!
Overall - I have to admit - I am in love with Chrome - the UI is fantastic, the rendering is pretty fast, and it's very intuitive and clutter free . . . that said - I'm very concerned about the code quality given that in less than 24 hours we've got one confirmed remote code execution vuln (one that was already patched by Apple in the same source code weeks ago!) and one 'interesting' discovery / crash - that is certainly going to draw attention to fuzzing protocol handlers and maybe lead to the discovery of something even more interesting.
Welp - the ball has been resoundingly slammed back over the net at Google - and it will be interesting to see how they respond. Will they release a blog detailing what's going on with the protocol handler debug break above? Will they release an update soon that corrects these two issues? Will they talk about how these issues were missed and what they're doing to ensure there aren't variations all over the place?
------------------------------------------------
I am still confused why Google would release a beta browser based on an outdated version of Webkit. But whatever... Looks like the Lemon needs to be updated as well....
With these possible security problems...and the just recently discovered EULA legal problem, I am not quite sure what Google's end game looks like....
Beta testing for Chrome on Android perhaps?
No comments:
Post a Comment