Google’s Chrome Browser Vulnerable to Hackers

September 4, 2008

When Google’s new browser Chrome launched by surprise yesterday, many fans of the famously "do no evil" search company rushed to download it. Who wouldn’t be wooed by its clean looks, fast performance, and pledges of security? So far, we think the browser delivers on the first two — but we’re not so sure on that last one. Word is hitting the Web that Chrome is vulnerable to a Safari-related security issue that Apple has already fixed, but Google has (apparently) not.

The exploit lets a hacker automatically download an executable malware file to the user’s computer. It’s then up to the user to actually click on the file to run it, but with a little encouragement (as shown in the proof-of-concept), that’s not difficult to do. Should you avoid Chrome? Not necessarily, but if you’re going to use it, use a typical common sense while online and don’t go crazy opening any file you like. The Internet’s still a dangerous place, you know.

Google’s shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks.

Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference — to trick users into launching executables direct from the new browser.

Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

In the proof-of-concept, Raff’s code shows how a malicious hacker can use a clever social engineering lure — it requires two mouse clicks — to plant malware on Windows desktops.

The Google Chrome user-agent shows that Chrome is actually WebKit 525.13 (Safari 3.1), which is an outdated/vulnerable version of that browser.

Apple patched the carpet-bombing issue with Safari v3.1.2.

Some Google Chrome early adopters using Windows Vista are reporting that files downloaded from the Internet are automatically dropped on the desktop, setting up a scenario where a combo-attack using this unpatched IE flaw could be used in attacks.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the world.

See his full profile and disclosure of his industry affiliations. Send tips, ideas and feedback to naraine SHIFT 2


Powered by Computer 2000


One Response to “Google’s Chrome Browser Vulnerable to Hackers”

  1. […] 22, 2008 There’s a bit of chatter about Google Chrome overtaking Firefox in coming months, after it fulfills more than a few wish lists. Yet, independent […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: