[Yr7-10it] Browser security

[stephen at melbpc.org.au]

Chrome Browser, Unhacked

By RIVA RICHMOND NYTimes Blogs

<http://gadgetwise.blogs.nytimes.com/2010/04/08/chrome-browser-unhacked>
<http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010>
<http://www.zerodayinitiative.com/about/benefits/>


Late last month, another kind of games was held in Vancouver: the Pwn2Own 
contest, where computer-security researchers were invited to hack 
computers using unknown, or 'zero-day,' vulnerabilities in Web browsers.

The contest’s sponsor, TippingPoint’s Zero Day Initiative, which pays 
researchers to find security bugs, offered prizes of $10,000 for hacks of 
each of four browsers — latest versions of Microsoft’s Internet Explorer, 
Mozilla’s Firefox, Apple’s Safari and Google’s Chrome — plus the computer 
the winners hacked.

For the second year, all the browsers fell except Chrome. 

Chrome has some security advantages, but its survival doesn’t mean the 
browser is unbreakable or the most secure, says TippingPoint’s Aaron 
Portnoy, who organized Pwn2Own. Researchers come to the contest with 
attacks in their pockets, and like malicious hackers they tend to focus 
on the most broadly used software. 

Chrome has a small, albeit growing, market share of 6.1% in March, 
according to Net Applications.

 <http://www.netmarketshare.com/browser-market-share.aspx?qprid=1>

“People think that their time is better spent finding bugs in more 
popular software because it’s worth more money,” Mr. Portnoy said.

Nevertheless, Chrome, as the newest browser on the market, includes 
security advances that make it an “interesting target.”

Google built its browser after the Web became a major avenue for malware, 
and it learned from its competitors’ woes. 

In a key move, Google put most of Chrome in a “sandbox,” a low-privilege 
mode that runs commands from the Internet in a virtual machine where they 
can’t hurt users’ systems, says Linus Upson, vice president of 
engineering for Chrome.

The approach can stop attacks no one has ever seen before, which is 
increasingly important as antivirus software makers, which only stop 
known attacks, struggle with a flood of new attacks designed to get 
around their defenses.

Hackers are aggressively seeking to infiltrate PCs with “drive-by-
downloads” of malware that exploit bugs in the surfer’s Web browser, with 
the favorites being Explorer and Firefox, the most popular browsers. They 
also attack Flash, Java and other Web programs. The malware is often 
delivered via legitimate Web pages that have also been hacked. 

According to Web-security firm Dasient, 5.5 million pages on 560,000 
sites were infected with malware in the last quarter of 2009.

To successfully attack Chrome (or win a Pwn2Own prize), an attacker would 
have to take two steps: find a Chrome bug and exploit it and then get out 
of the sandbox, says Charlie Miller, principal analyst at consulting firm 
Independent Security Evaluators and a three-year winner of Pwn2Own for 
hacking Safari on a Mac. 

Theoretically, an attacker could also find a workable bug in the part of 
Chrome that’s not in the sandbox, he said.

“It’s one more layer of defenses you have to get through,” he says. 

Attackers targeting large numbers of Web users aren’t likely to bother 
with it — not when there are other browsers to hit. Neither Firefox nor 
Safari use sandboxes. Newer versions of Internet Explorer have a similar 
feature called Protected Mode that users can activate.

Since plug-ins are also attacked, Mr. Upson said Google is working with 
Adobe and others to put popular plug-ins into Chrome’s sandbox. 

It’s also managing updates that fix bugs in Adobe’s Flash, among other 
plug-ins, so that Chrome users get them automatically.

Google pushes out all updates to Chrome silently — users aren’t asked if 
they want to update their software, it just happens. In a world of 
worsening cybercrime, it thinks it’s too risky to make good practices 
security optional.

--

Cheers,
Stephen