I didn’t realize when I wrote the last post that everyone thought I was NOT going to write about security! I’ll have to watch my words since so many of you are really reading them! (Don’t let those numbers fool you on the side up there! I’ve found out I have a following that doesn’t subscribe!)
I’ve pointed you in the direction of the comic book about the making of Google Chrome, and if you didn’t get a chance to read it, or didn’t understand it, let me tell you a bit about the way this was built.
It was built on the same framework as Apple’s Safari and many other browsers using an Open Source application building program called Webkit but also borrowed and modified certain code from Mozilla Firefox. Mozilla Firefox however, is built using C++ programming code and JavaScript. It’s open source code, meaning it’s available to see and use, but it’s not built on some pre-existing kit so to speak, as Webkit has allowed for programs like Safari and now the Google Chrome.
If that’s confusing to you, that’s okay. You are probably not a programmer! And that’s okay too!
The point I want to make is that Google Chrome and Mozilla Firefox are built on two different types of programming bases and while they are being compared to each other by many a reviewer out there today (and some who are using my Big Brother Browser phrase!), they are built in two distinctly different ways.
As all of my students are used to, I’ll use one of the Debbie analogies I’m famous for.
Think of Google Chrome and Mozilla Firefox as two houses in a subdivision. Google Chrome is a pre-fab where the developer has already built the frames, walls, and sub-structures for the house and delivers them to the lot. The builder puts the pieces together to make the house that is unique to the home buyers by the way they put the pieces together.
Firefox however, is built from the ground up by a developer who drew the plans, poured the foundation and started adding the structural pieces by cutting the wood and pounding the nails.
Now, does that make either house better than the other? Structurally, no. That’s not what this comparison is about. I just wanted you to see that these two browsers are constructed differently. So let’s not confuse the issues.
That being said, Google Chrome states in the comic book that they put their pieces together in a segmented way that is called sandbox threads. What this means to the average user is that instead of the browser being exposed to a bad guy because it is constructed in one single thread that handles all the interaction with a website, the individual pieces are like rooms of their own that are meant to keep the bad guys away from the main house.
Mozilla Firefox is built similar to that concept in that the bad guys cannot access the main structure of the house, but the entire browser is built on one thread, so the rooms have hallways connecting them to the house but no doors to isolate a single room.
Does that make sense?
What this means to us as users is that Google Chrome claims that because the way they built their browser they are theoretically more secure than the other browsers because their doors are supposed to slam shut should a bad guy get in.
We’ve all experienced the lock up of a browser whether it is Firefox, Internet Explorer, Safari, or Opera. When something goes wrong in one of those rooms, because they all connected, the browser (or house) locks up.
Google Chrome states it’s not supposed to do that. But in my previous post, I pointed out that my LinkedIn Flash utility to add a contact manually did lock up the browser - however briefly. (Now mind you I have Dual Core processor too!)
Now you may be asking, “Ok, Debbie. What does this have to do with security?” Well, I’m glad you asked! (SMILE)
Aviv Raffon, a security research created a file that showed how Google Chrome could be exploited by a technique called Carpet Bombing. I tested his research (which is called a Proof of Concept), and it didn’t work with me. Why? Because I had already configured the options in the Chrome browser NOT to automatically download files but to always ask me where to put them! And this is standard security procedure on any new installation! (But then again, no one probably knows that because no one believes it will happen to them! As is evidenced by our lack of sales on our anniversary course special! Sorry, had to rant for a second.)
But, on the assumption that most users don’t have the knowledge I do and leave the browser as its default setting, then yes, people can be exploited without even knowing it.
Now, does that alone make Chrome unsecure? No. Then what does?
Well, the problem lies in the mash up of the way Chrome is put together. By borrowing and modifying the code from Mozilla’s Firefox and using it within the Webkit framework, we’re not too sure what we are dealing with.
Now, according to an InformationWeek article, a researcher has shown that Google Chrome can be crashed by a malicious link.
Another security researcher, Rishi Narang, claimed to have found a way to crash Chrome with a malicious link.
“An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27,” Narang explained on the Evil Fingers Web site. “A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a ’special’ character, the Chrome crashes with a Google Chrome message window ‘Whoa! Google Chrome has crashed. Restart now?’ ”
Source:http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=210300297
Curious about this crash and undefined-handlers - which I also preach about in my hacking course - I went to Rishi Narang’s website quoted in the article. What concerns me is that in his research he found:
It crashes on “int 3″ at 0×01002FF3 as an exception/trap, followed by “POP EBP” instruction when pointed out by the EIP register at 0×01002FF4.
Source: http://evilfingers.com/advisory/google_chrome_poc.php
For my students who’ve taken my hacking course, you should remember the assignment that covered the EIP register hacking example. This is NOT good!
The EIP register is a name for memory access. It’s hard to say without more testing just how far this could allow a malcode writer to get into your system. Either way, it’s an early warning sign for me that more security testing needs to be done and that preliminary indications are that this is not a secure browser as being touted.
As for me, I’m rolling back to IE 7 and giving the Big Brother Browser the boot. I’m also uninstalling Google Chrome. I’ll let the hard-core researchers test it more fully. I don’t care to get spied on any more than I already am even if it is for free! I’ll stick with my Mozilla Firefox and browse happy with my extensions and plug-ins.
If you are still foolish enough to use these unsecure wolves in sheeps clothing - aka big brother browsers, please consider taking our courses. You’re going to need them one day!
Coming soon…….
Our Director of Emerging Technology is currently very angry. He’s reformatting and reinstalling his not-even-3-month old hard drive. Reason? ZoneLabs ForceField. He’s got a story to tell you!
In the meantime, I’ll be commenting on the death of Web 2.0 over the weekend. So stay tuned…..
written by Admin
\\ tags: Big brother, big brother browser, browser security, chrome security, firefox, google, google browser, google chrome, google comic book, Internet Explorer, mozilla, Security
Do you enjoy this blog? Then buy me a coffee or send me a tip! May I suggest $3 for a Venti (extra-large) cup of Starbucks Carmel Macchiato? You can also choose any amount you wish.
Recent Comments