12 reasons not to use IE

Except that EMET breaks Silverlight when forced on Chrome.exe...

And there's only a single Chrome exploit that breaks out of the sandbox, all other exploits would only allow malicious action within the sandbox.

edit: And, of course, we see a huge increase of vulnerabilities as more and more users start using the product and as the open source project gains popularity.

This is typical.


edit2: Just forced Chrome with EMET, turned EAF off since I assumed that was the issue. It's working now. But like I said only a single vulnerability has been shown to break through the sandbox so far, that inspires confidence.

 

Then, I assume this is just a problem with Google Chrome? I run Chromium, and I do not recall Silverlight ever breaking.

But, there's been a long time, since I last accessed a website (Microsoft's) running Silverlight.

 

Yeah, its the sandbox that makes Chrome more difficult to penetrate.

Heh, that was the real reason I responded to your post. You updated your post before I submitted the response. I was going to tell you to disable EAF. Chrome will benefit from the other EMET mitigations.

http://social.technet.microsoft.com/Forums/en-US/emet/thread/8cecb84f-04ca-4cb5-88d3-14bbea8b9258

-MessageBoxA

 

Not necessarily a problem.

http://news.softpedia.com/news/Goog...Solution-EMET-for-Arbitrary-Apps-166957.shtml

Granted it's an outdated article, the point is that if a browser already natively supports these things EMET doesn't add anything and can makes things more difficult.

I'm trying to find out if Chrome natively supports EMET 2.1's security features.

 

Chrome does not implement any of the mitigations of EMET. It does however have its own export table resolver which is why it conflicts with EAF.

-MessageBoxA

 

Um, yes, of course it implements some of the mitigations already.

DEP? ASLR? SEHOP? Yes, all three. I'm just curious about the others.

 

Not really sure why you want to push this issue. DEP, ASLR and SEHOP are actually implemented by the operating system. Although Chrome is compiled with support for all three of them. I don't really see how they could be considered google chrome security features.

The reason chrome wins contests such as Pwn2Own is the both the 'Low Integrity' architecture and the excellent sandboxing. There are actually plenty of exploits available for Webkit/V8 based Chrome. Its just that once you get into the chrome process it is difficult to escape the sandbox and to elevate. There are plenty of metasploit modules floating around for chrome but even if you obtain a reverse shell you often have limited access.

Anyway I actually recommend chrome to anyone who asks. We will see how long Google keeps the crown... the next generation of remote exploits will be WebGL and HTML5 based.

-MessageBoxA

 

Reading!
I'll post my opinion

 

That's basically word for word what I've said in the last two pages... Chrome has exploits, but they don't escape the sandbox... only one ever has.

 

Correct me if I'm wrong, but assuming the default settings in IE9 the site is in Protected Mode, meaning its sandboxed as well?

 

It's always sandboxed. When it's in protected mode I believe it makes use of low integrity. I could be wrong.

 

In the last Pwn2Own there were no attacks presented against Chrome - and neither against Firefox. There's probably a reason why ...

 

Thats absolutely true... google played dirty in my opinion... they patched the chrome browser a couple of days before the last contest. The patch broke the submission. In fact because the Pwn2Own contest gets so much media attention... most of the browser vendors are doing this now. Mozilla did the same thing and broke a part of the Firefox submission.

Yes, IE9 claims to have a sandbox but it is really nothing more than the 'Low Integrity' policies, UIPI and UAC. Chrome is a little more aggressive and is actually hooking specific functions and exports along with a low integrity model. The chrome implementation is a little more hackish... but it is working quite well for them.

At the moment Chrome is on every security researchers radar. Its getting hot in the kitchen... lets see if they can stand the heat.

-MessageBoxA

 

Just look in one way and build all your evidence on that direction, what a terrible blog post

Three reasons to use it
1. Has got protected mode
2. Checks downloads on known malware
3. has one of the best website filters (smart screen)


PS. I am using Chrome, for its superior low rights containment

 

Yeah Chrome's "smart screen" is lacking. But at least it checks downloads and the "protected mode" is always on.

 

Doesn't Google Chrome have malware and phishing protection already? Chromium does... long time ago.

 

Yes... I didn't say it doesn't. I'm saying it's lacking. IE9 blocks more malicious sites than Chrome does.

edit: It is a safe bet that anything Chromium has Chrome will too. At least for the same versions (IE: Don't start comparing chromium 14 to 13)

 

Either a Smart Screen-feature is lacking or it isn't... There can't be a middle term.

And, you did mention Yeah Chrome's "smart screen" is lacking. But at least it checks downloads and the "protected mode" is always on.

It doesn't at least it checks downloads and the "protected mode" is always on.

It has a malware and phishing filter, and it checks downloads and has a "protected mode" and more.

And, no, I'm not comparing with Chromium. I was being sarcastic. I know/knew Google Chrome has it. I have relatives running Google Chrome, which was installed by me.

 

I didn't say it's lacking a smart screen... i said the smart screen is lacking. I don't know how to be any clearer. When something is lacking it means that it's there but not as good as it could be... it leaves something to be desired... it is not up to par... do you understand?

 

I know what lack means. But, information from you was lacking.

You simply said that a SmartScreen-like feature was lacking, But at least it* checks downloads and the "protected mode" is always on.

* Google Chrome

So, I simply interpreted one meaning of lack, according to what you wrote. Lack also means to be without something, or in other words, it doesn't have something, it lacks it.

And, I didn't make this up just now. I actually took it from the Oxford dictionary... Just in case.

 

"Lacking", when used in the sense that the feature is there but of poor quality, is a slang term, not the actual term. This forum consists of people all over the world, you can't expect them to always understand slang, then call them out for not understanding.

 

How relevant.

a) I didn't call him out. I said I didn't know how to be clearer and then I made my best attempt.
b) It's not slang. To "find something lacking" does not necessarily mean to find it missing. Dearth is a synonym for lacking. It means "insufficiency or scarcity." It means that it leaves me "wanting."
edit: Some other synonyms: Deficiency, defect, default, below par

Context matters. I thought it was fairly clear. It apparently was not so I made it clear (obviously, since we now all seem to understand each other.)

Hope that clears this up... there was no "calling out" only clarification.

edit2: Some sources I guess
http://dictionary.reference.com/browse/lacking
http://thesaurus.com/browse/lack
http://thesaurus.com/browse/lacking

 

Considering your overuse of ellipsis in your sentence, it was quite obvious what you were trying to imply. Your use of context may be "obvious" to you, but don't expect it to be obvious to everyone else, then act like it should have been obvious in the first place.

 

Elapsed, I think it's been made fairly clear that you have a problem with me. I have no need to waste time arguing about what I was or was not trying to convey based on the way that I type.

I felt I was being clear. I attempted to clarify further. It worked. You're the one harping on this non-issue.

 

Indeed........Any browser can be a nightmare!