Glitch tarnishes Chrome browser
- By Dan Campbell
- Sep 05, 2008
The release of Google’s Chrome browser this week has been
dampened by the discovery of a security risk.
Security researchers uncovered a vulnerability that combines a
Java bug with a known flaw in an older version of WebKit, along
with a bit of social engineering. The discovery of the security
vulnerability just a day after the browser’s release is
somewhat dubious as Google had touted Chrome’s security in
its official news release.
During a browsing session, a file may be downloaded to a
user’s computer without their knowledge. The Chrome browser
displays the file at the bottom of the browser window as a
clickable button that potentially could persuade the web surfer to
open the file, which could be a Java-based executable file that
runs malicious code, inserts malware or runs unauthorized programs
without any further user input to prevent it.
Webkit, an open-source engine, is the heart of the Chrome
browser and is the same engine used by Apple Computer in its Safari
browser. The issue in the version of WebKit used in Chrome was
discovered this past spring and was corrected by Apple in July with
a patch. However, Chrome was released using the older, vulnerable
version of Webkit.
An attack based on automatically downloading files to a
user’s PC is known as “carpet bombing.” The Java
bug adds to the vulnerability in that Chrome’s Java
implementation by default does not display a warning about the
file’s execution after the user clicks on it.
Security experts argue that, in fairness to Google, the version
of Chrome that was released is considered to be beta, and thus
those downloading it should beware of potential bugs. Presumably
Google became aware of the WebKit vulnerability while Apple was
implementing its fix but released the Chrome beta version anyway to
make the browser available, and will provide a patch for Chrome
through the browser’s self-updating, self-healing
Security experts disagree on whether the issue falls solely on
the shoulders of Google and Chrome, considering that it relies on
the unsuspecting user opening a file that they did not ask to
download. This bit of social engineering that tricks people into
opening malicious files exists in many facets of Internet use, as
well as software use in general. A simple short-term preventive
measure is to change the browser’s default setting to prompt
before any file download for the filename and location where the
file should be stored, alerting the user to its presence.
New software products are often the immediate target of hackers
who want to find vulnerabilities, if for no other reasons than
notoriety and perhaps the chance to throw some egg in the face of
the software developer. This is particularly true given that the
developer in this case, Google, is the behemoth that is in the news
daily and is clearly targeting Microsoft’s nearly monopoly
Dan Campbell is a freelance writer with Government Computer News and the president of Millennia Systems Inc.