Google Chrome 7.0.503.0 beta

Google Chrome 6.0.472.59

Talking about security, an update for the stable channel is out:
One critical and six high levels issues were fixed.

 

Java script is totally isolated in a policy sandbox, so tell me do you know of any js that succesfully intruded the system? As far as I know it can't be done without flaws in the underlying protection mechanism.

I can't explain any better than this
a) reduced rights (to LOW) of the sandboxed tabs (in which java script runs)
and assignes a restricted SID to the tab.
b) assigns a job id, it prevents access to user handles outside the job, it also says that it is only allowed to access restricted token objects, is not allowed to debug, log off, etc and die's on exceptions.
c) switches to an alternate desktop which prevents windows messaging stuff etc.

In other words: you do not need noscript IMO.

Please convince me by providing some Poc or incident in which JS escaped teh p[olicy sandbox

 

How does the new option to allow only sandboxed plug-ins differ from using the save-plugins switch?

 

Kees, I'm not (solely) talking about intrusions. Many "modern" web attacks need not even touch your harddisk, so the scenario you described doesn't apply.

In any case there have been quite a few serious security issues in Chrome related to javascript if you search for them.

 

I tried it a few weeks ago and can't remember all details. I'll see what I can find.

The script can run in an iframe as an ad undetected by the whitelisted domain. And besides, most malicious scripts point to another website and are therefore blocked by Noscript. Chrome can't do that.

As a more general side note: Robert Hansen (aka RSnake) is one of the most prominent experts if it comes to web security. I remember that you once called him "paranoid" in a previous thread (most probably because you know more about web security than he does ). In this blog posting he gives a, IMHO, fair view about browser comparisons. And surprise: He still uses Firefox as his browser. I wonder why he doesn't - paranoid as he is according to you - use Chrome if its security concept is really superior. Ah - I'm guessing your answer: RSnake is not only paranoid but also ignorant!

In his post I found the link to this site by the renowned security researcher Michal Zalewski which is probably the most detailed comparison security-wise of the major browsers. And as far as I can see there is no clear winner - each one has its advantages and disadvantages.

Another side note: Giorgio Maone has been in frequent contact with the Chrome developers over the past year or so. He recently wrote that he was told by them that they are (still unofficially) developing a kind of Noscript API which would make the development of a Noscript for Chrome possible. So it seems that even the Chrome developers gradually realize that something is missing in their product.

 

If one read and assimilated RSnake's writing referred to in the previous post, I wonder whether browser-bashing would be a popular activity.

 

I'm fairly confident this is a false claim. NoScript recognizes and blocks Javascript and plugins by domain, but once allowed it does not block scripts from fetching external resources.

Do you have any evidence to show that NoScript works the way you describe it?

It looks like you're starting off by assuming that this discussion will be based on rhetoric and emotions instead of facts, and taking the "pre-emptive strike" by putting words into my mouth accordingly. Even if that's your modus operandi, I don't see any reason to believe that everyone else is going to resort to the same tactics as you do.

You might want to actually read the link you posted. In no way does your chosen champion - summoned to present the defense that you apparently could not - deliver an endorsement of NoScript's security, much less Firefox's. In fact, he goes to great lengths to emphasize that he finds the question of the most secure browser to be difficult to answer.

I think you're really getting confused. In your previous posts you talked about NoScript (a client-side defense), and now you summon an article that talks about server- and server+client-side defenses to prove your point?

I really don't understand what you're trying to imply. Are you trying to hint that the Chrome developers are implementing the APIs solely for the purpose of making NoScript possible (it would also seem that NotScripts has proven that NoScript-like fuctionality is already possible, even though those APIs have presumably yet to land)? Are you suggesting that it has been somehow claimed that Chrome is completely perfect, and nothing is missing from it?

PS: Posted from Firefox, btw.

 

Very quick answer.

Oh, c'mon Eice - you're not that prim either. You've seen my smilies, haven't you?

Did I say that?

You've really read that site?
[ ] yes
[x] no

Did I say that the Chrome developers talked with me?

 

The beta still doesn't offer a setting whereby the maximum size of Chrome's cache can be specified by the user. I used Chrome for a few hours of surfing the other day. When I ran CCleaner, it cleaned out 161MB from Chrome's cache. Good grief!!!

Is there some way to configure Chrome so as to control this? (I haven't been able to find one so far.)

 

Not particularly elegant, but supposedly works:
http://www.google.com/support/forum/p/Chrome/thread?tid=098d42a41aacdc6d&hl=en

 

Thanks MUCHLY!!!

I'm trying their work-around now. I won't know if it works until I have surfed around a while.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Update -- after just over 1 hour of surfing, Chrome's cache was already 89MB. Evidently the work-around doesn't do the job -- at least, not on my computer.

 

There are quite a few suggestions on that page. Which did you try? Registry tweak? Command-line switch?

 

This one seems the most promising:
"...\Google\Chrome\Application\chrome.exe" --disk-cache-size=1 --media-cache-size=1

(Monkey123456's post dated 2/28/10)

Hope this helps.

 

Please don't pay any attention to Google release designations or version numbers! I sometimes think its a joke they play on us

Many google products like Gmail were in perpetual beta and better than any released app. OTOH they update version numbers in Chrome every other month.

It doesn't matter, its a self updating app and no one notices the differences until they read about them. Its not like you have to uninstall, face compatibility issues (looking at you Firefox) or pc restarts (IE) its all silent.

 

Yeah right that is handled by the sandbox also, I mentioned intre process messages, user handles etc, this has nothing to do with the harddisk.

Chrome issues critical updates on possible errors they have found, I never have found an actual in the wild intrusion of Chrome, so please provide some links.

Here's some reading on the Chrome sandbox http://www.breakingpointsystems.com/community/blog/chrome-sandbox/

 

Latest Iron/Chrome, now also able to EMET

 

Kees, this is probably true for all major browsers (with the exception of IE ).

And regarding the sandbox: I don't say it is bad - on the contrary. I just say that it is not unbreakable - a very quick search gave, e.g., this. Thus, the logic: "Chrome has a sandbox => nothing can happen" is too simple. I think mankind still has to invent a sandbox that is 100% secure. But again, this doesn't mean that a sandbox is useless. For Firefox, something similar is on the stocks. Plugins can already be sandboxed by setting "dom.ipc.plugins.enabled" to "true".

 

Personally, I've always wondered if IE8 has ever been publicly exploited in the wild.

That's certainly a very true assessment. A similar bypass happened to NoScript before using Unicode characters, I believe.

But to discuss such a topic, it'd be helpful if you clarified what you meant by "unbreakable". Is there a flaw that's inherent to the design of the security mechanism itself, or did someone just made a mistake or overlooked something while writing the code?

Um, no. Separating plugins out into their own processes does not equate to sandboxing them.

 

Granted, but it's a start.

 

Again detected by the Google team, is a "potentially cause a heap-based buffer overflow". Any idea how hard it is to use an heap based buffer overflow. You have to guess the offset right to access something outside the sandbox. Next your in (at least with Vista and higher) in medium rights country, also DEP and ASLR will give you a hard time achieving anything. When you use EMET 2, I can't think of a practical way of exploiting this (and it was Chrome 2.0).

Again, I ask you show me the money (meaning an issue succesfully exploited and not reported by Google devs).

For me it feels foolish to discuss an A versus B. Where A has a probability of 40 percent to get hacked (FF before 3.6) and B has a probability of 0.5% to get hacked. A has an add-on which reduces the 40% to 10%. Now people are telling me B is no go option because it does not has an add-on which reduces risk by 30%. I can only say: you are right B does not has such an option and if that is making you feel insecure, don't use it

 

What do you mean by "start", exactly?

It's a separate prerequisite that by itself provides no sandboxing (privilege/access control) whatsoever. No offense, but trying to confuse the two is being quite misguided.

You mean by 75%, not 30.

 

When Sully completes the Safe-admin and FF will run with Low rights AND the download directory has a no-execute-up ACL AND FF runs EMET, this will harden the security of FF a multiple of what NoScripts will ever achieve.

I have ranted against FF in the past, but since 3.6 it is a decent browser. With Safe-Admin (and Noscript ) it will be a good browser which can compete with Iron on safety and security.

I only hope Thomas will try Safe-admin

 

That's the one I tried, but without --media-cache-size=1.

I have added the media thingee & shall try again.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

By the way, the shortcut to Chrome's built-in surfing data cleaner-outer is shift-control-delete

 

Useful nugget!

 

I would like you all to go to http://www.chess.com/livechess/myhome.html and play a game of live chess in any browser that you have installed.
(I prefer the basic version)

Then come back here and give us an indication of which browser feels snappiest?
Would you do that?