Bit Defender Safe Pay

I was just reviewing the test Matousec did on banking security software a while back: http://www.matousec.com/info/reports/Online-Payments-Threats-2.pdf. BD's Safe Pay ranked right on the top with Kapersky. However if you read the testing details, most of the test threats were actually blocked by BD's Internet Security software before they had a chance to get into the BD Safe Pay browser. I have yet to see a threat test of BD safe Pay using non-BD IS/AV software. As such, I question it's effectiveness when used in a non-exclusive BD environment.

 

If that's the only reason, why not get a VPN instead, then all your traffic will be protected instead of only the browser traffic.

How is this not real-world?
Here's a list of fixed vulnerabilities since Chrome 25.0.1364.172 used by SafePay, and it's not even a complete list.

[172342] High CVE-2013-0916: Use-after-free in Web Audio. Credit to Atte Kettunen of OUSPG.
[180909] Low CVE-2013-0917: Out-of-bounds read in URL loader. Credit to Google Chrome Security Team (Cris Neckar).
[180555] Low CVE-2013-0918: Do not navigate dev tools upon drag and drop. Credit to Vsevolod Vlasov of the Chromium development community.
[Linux only] [178760] Medium CVE-2013-0919: Use-after-free with pop-up windows in extensions. Credit to Google Chrome Security Team (Mustafa Emre Acer).
[177410] Medium CVE-2013-0920: Use-after-free in extension bookmarks API. Credit to Google Chrome Security Team (Mustafa Emre Acer).
[174943] High CVE-2013-0921: Ensure isolated web sites run in their own processes.
[174129] Low CVE-2013-0922: Avoid HTTP basic auth brute force attempts. Credit to “t3553r”.
[169981] [169972] [169765] Medium CVE-2013-0923: Memory safety issues in the USB Apps API. Credit to Google Chrome Security Team (Mustafa Emre Acer).
[169632] Low CVE-2013-0924: Check an extension’s permissions API usage again file permissions. Credit to Benjamin Kalman of the Chromium development community.
[168442] Low CVE-2013-0925: Avoid leaking URLs to extensions without the tabs permissions. Credit to Michael Vrable of Google.
[112325] Medium CVE-2013-0926: Avoid pasting active tags in certain situations. Credit to Subho Halder, Aditya Gupta, and Dev Kar of xys3c (xysec.com).
[235638] High CVE-2013-2837: Use-after-free in SVG. Credit to Sławomir Błażek.
[235311] Medium CVE-2013-2838: Out-of-bounds read in v8. Credit to Christian Holler.
[230176] High CVE-2013-2839: Bad cast in clipboard handling. Credit to Jon of MWR InfoSecurity.
[230117] High CVE-2013-2840: Use-after-free in media loader. Credit to Nils of MWR InfoSecurity.
[227350] High CVE-2013-2841: Use-after-free in Pepper resource handling. Credit to Chamal de Silva.
[226696] High CVE-2013-2842: Use-after-free in widget handling. Credit to Cyril Cattiaux.
[222000] High CVE-2013-2843: Use-after-free in speech handling. Credit to Khalil Zhani.
[196393] High CVE-2013-2844: Use-after-free in style resolution. Credit to Sachin Shinde (@cons0ul).
[188092] [179522] [222136] [188092] High CVE-2013-2845: Memory safety issues in Web Audio. Credit to Atte Kettunen of OUSPG.
[177620] High CVE-2013-2846: Use-after-free in media loader. Credit to Chamal de Silva.
[176692] High CVE-2013-2847: Use-after-free race condition with workers. Credit to Collin Payne.
[176137] Medium CVE-2013-2848: Possible data extraction with XSS Auditor. Credit to Egor Homakov.
[171392] Low CVE-2013-2849: Possible XSS with drag+drop or copy+paste. Credit to Mario Heiderich.
[241595] High CVE-2013-2836: Various fixes from internal audits, fuzzing and other initiatives.
[243339] High CVE-2013-2854: Bad handle passed to renderer. Credit to Collin Payne.
[242322] Medium CVE-2013-2855: Memory corruption in dev tools API. Credit to “daniel.zulla”.
[242224] High CVE-2013-2856: Use-after-free in input handling. Credit to miaubiz.
[240124] High CVE-2013-2857: Use-after-free in image handling. Credit to miaubiz.
[239897] High CVE-2013-2858: Use-after-free in HTML5 Audio. Credit to “cdel921”.
[237022] High CVE-2013-2859: Cross-origin namespace pollution. Credit to “bobbyholley”.
[225546] High CVE-2013-2860: Use-after-free with workers accessing database APIs. Credit to Collin Payne.
[209604] High CVE-2013-2861: Use-after-free with SVG. Credit to miaubiz.
[161077] High CVE-2013-2862: Memory corruption in Skia GPU handling. Credit to Atte Kettunen of OUSPG.
[232633] Critical CVE-2013-2863: Memory corruption in SSL socket handling. Credit to Sebastien Marchand of the Chromium development community.
[239134] High CVE-2013-2864: Bad free in PDF viewer. Credit to Mateusz Jurczyk, with contributions by Gynvael Coldwind, both from Google Security Team.
[246389] High CVE-2013-2865: Various fixes from internal audits, fuzzing and other initiatives.
[249335] Medium CVE-2013-2866: Clickjacking in the Flash plug-in.
[$21,500] A special reward for Andrey Labunets for his combination of CVE-2013-2879 and CVE-2013-2868 along with some (since fixed) server-side bugs.
[252216] Low CVE-2013-2867: Block pop-unders in various scenarios.
[252062] High CVE-2013-2879: Confusion setting up sign-in and sync. Credit to Andrey Labunets.
[252034] Medium CVE-2013-2868: Incorrect sync of NPAPI extension component. Credit to Andrey Labunets.
[245153] Medium CVE-2013-2869: Out-of-bounds read in JPEG2000 handling. Credit to Felix Groebert of Google Security Team.
[244746] [242762] Critical CVE-2013-2870: Use-after-free with network sockets. Credit to Collin Payne.
[244260] Medium CVE-2013-2853: Man-in-the-middle attack against HTTP in SSL. Credit to Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco at INRIA Paris.
[243991] [243818] High CVE-2013-2871: Use-after-free in input handling. Credit to miaubiz.
[Mac only] [242702] Low CVE-2013-2872: Possible lack of entropy in renderers. Credit to Eric Rescorla.
[241139] High CVE-2013-2873: Use-after-free in resource loading. Credit to miaubiz.
[Windows + NVIDIA only] [$500] [237611] Medium CVE-2013-2874: Screen data leak with GL textures. Credit to “danguafer”.
[$500] [233848] Medium CVE-2013-2875: Out-of-bounds-read in SVG. Credit to miaubiz.
[229504] Medium CVE-2013-2876: Extensions permissions confusion with interstitials. Credit to Dev Akhawe.
[229019] Low CVE-2013-2877: Out-of-bounds read in XML parsing. Credit to Aki Helin of OUSPG.
[196636] None: Remove the “viewsource” attribute on iframes. Credit to Collin Jackson.
[177197] Medium CVE-2013-2878: Out-of-bounds read in text handling. Credit to Atte Kettunen of OUSPG.
[256985] High CVE-2013-2880: Various fixes from internal audits, fuzzing and other initiatives (Chrome 2.
[257748] Medium CVE-2013-2881: Origin bypass in frame handling. Credit to Karthik Bhargavan.
[260106] High CVE-2013-2882: Type confusion in V8. Credit to Cloudfuzzer.
[260165] High CVE-2013-2883: Use-after-free in MutationObserver. Credit to Cloudfuzzer.
[248950] High CVE-2013-2884: Use-after-free in DOM. Credit to Ivan Fratric of Google Security Team.
[249640] [257353] High CVE-2013-2885: Use-after-free in input handling. Credit to Ivan Fratric of Google Security Team.
[261701] High CVE-2013-2886: Various fixes from internal audits, fuzzing and other initiatives.
[181617] High CVE-2013-2900: Incomplete path sanitization in file handling. Credit to Krystian Bigaj.
[254159] Low CVE-2013-2905: Information leak via overly broad permissions on shared memory files. Credit to Christian Jaeger.
[257363] High CVE-2013-2901: Integer overflow in ANGLE. Credit to Alex Chapman.
[260105] High CVE-2013-2902: Use after free in XSLT. Credit to cloudfuzzer.
[260156] High CVE-2013-2903: Use after free in media element. Credit to cloudfuzzer.
[260428] High CVE-2013-2904: Use after free in document parsing. Credit to cloudfuzzer.
[274602] CVE-2013-2887: Various fixes from internal audits, fuzzing and other initiatives (Chrome 29).
[223962][270758][271161][284785][284786] Medium CVE-2013-2906: Races in Web Audio. Credit to Atte Kettunen of OUSPG.
[260667] Medium CVE-2013-2907: Out of bounds read in Window.prototype object. Credit to Boris Zbarsky.
[265221] Medium CVE-2013-2908: Address bar spoofing related to the “204 No Content” status code. Credit to Chamal de Silva.
[265838][279277] High CVE-2013-2909: Use after free in inline-block rendering. Credit to Atte Kettunen of OUSPG.
[269753] Medium CVE-2013-2910: Use-after-free in Web Audio. Credit to Byoungyoung Lee of Georgia Tech Information Security Center (GTISC).
[271939] High CVE-2013-2911: Use-after-free in XSLT. Credit to Atte Kettunen of OUSPG.
[276368] High CVE-2013-2912: Use-after-free in PPAPI. Credit to Chamal de Silva and 41.w4r10r(at)garage4hackers.com.
[278908] High CVE-2013-2913: Use-after-free in XML document parsing. Credit to cloudfuzzer.
[279263] High CVE-2013-2914: Use after free in the Windows color chooser dialog. Credit to Khalil Zhani.
[280512] Low CVE-2013-2915: Address bar spoofing via a malformed scheme. Credit to Wander Groeneveld.
[281256] High CVE-2013-2916: Address bar spoofing related to the “204 No Content” status code. Credit to Masato Kinugawa.
[281480] Medium CVE-2013-2917: Out of bounds read in Web Audio. Credit to Byoungyoung Lee and Tielei Wang of Georgia Tech Information Security Center (GTISC).
[282088] High CVE-2013-2918: Use-after-free in DOM. Credit to Byoungyoung Lee of Georgia Tech Information Security Center (GTISC).
[282736] High CVE-2013-2919: Memory corruption in V8. Credit to Adam Haile of Concrete Data.
[285742] Medium CVE-2013-2920: Out of bounds read in URL parsing. Credit to Atte Kettunen of OUSPG.
[286414] High CVE-2013-2921: Use-after-free in resource loader. Credit to Byoungyoung Lee and Tielei Wang of Georgia Tech Information Security Center (GTISC).
[286975] High CVE-2013-2922: Use-after-free in template element. Credit to Jon Butler.
[299016] CVE-2013-2923: Various fixes from internal audits, fuzzing and other initiatives (Chrome 30).
[275803] Medium CVE-2013-2924: Use-after-free in ICU. Upstream bug here.
[292422] High CVE-2013-2925: Use after free in XHR. Credit to Atte Kettunen of OUSPG.
[294456] High CVE-2013-2926: Use after free in editing. Credit to cloudfuzzer.
[297478] High CVE-2013-2927: Use after free in forms. Credit to cloudfuzzer.
[305790] CVE-2013-2928: Various fixes from internal audits, fuzzing and other initiatives.
[268565] Medium CVE-2013-6621: Use after free related to speech input elements. Credit to Khalil Zhani.
[272786] High CVE-2013-6622: Use after free related to media elements. Credit to cloudfuzzer.
[282925] High CVE-2013-6623: Out of bounds read in SVG. Credit to miaubiz.
[290566] High CVE-2013-6624: Use after free related to “id” attribute strings. Credit to Jon Butler.
[295010] High CVE-2013-6625: Use after free in DOM ranges. Credit to cloudfuzzer.
[295695] Low CVE-2013-6626: Address bar spoofing related to interstitial warnings. Credit to Chamal de Silva.
[299892] High CVE-2013-6627: Out of bounds read in HTTP parsing. Credit to skylined.
[306959] Medium CVE-2013-6628: Issue with certificates not being checked during TLS renegotiation. Credit to Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco of INRIA Paris.
[315823] Medium-Critical CVE-2013-2931: Various fixes from internal audits, fuzzing and other initiatives.
[258723] Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and libjpeg-turbo. Credit to Michal Zalewski of Google.
[299835] Medium CVE-2013-6630: Read of uninitialized memory in libjpeg-turbo. Credit to Michal Zalewski of Google.
[296804] High CVE-2013-6631: Use after free in libjingle. Credit to Patrik Höglund of the Chromium project.
[319117] [319125] Critical CVE-2013-6632: Multiple memory corruption issues. Credit to Pinkie Pie.
[307159] Medium CVE-2013-6634: Session fixation in sync related to 302 redirects. Credit to Andrey Labunets.
[314469] High CVE-2013-6635: Use-after-free in editing. Credit to cloudfuzzer.
[322959] Medium CVE-2013-6636: Address bar spoofing related to modal dialogs. Credit to Bas Venis.
[325501] CVE-2013-6637: Various fixes from internal audits, fuzzing and other initiatives.
[319722] Medium CVE-2013-6638: Buffer overflow in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
[319835] High CVE-2013-6639: Out of bounds write in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
[319860] Medium CVE-2013-6640: Out of bounds read in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
[249502] High CVE-2013-6646: Use-after-free in web workers. Credit to Collin Payne.
[326854] High CVE-2013-6641: Use-after-free related to forms. Credit to Atte Kettunen of OUSPG.
[324969] High CVE-2013-6642: Address bar spoofing in Chrome for Android. Credit to lpilorz.
[321940] High CVE-2013-6643: Unprompted sync with an attacker’s Google account. Credit to Joao Lucas Melo Brasio.
[318791] Medium CVE-2013-6645 Use-after-free related to speech input elements. Credit to Khalil Zhani.
[333036] CVE-2013-6644: Various fixes from internal audits, fuzzing and other initiatives.
[321940] High CVE-2013-6643: Unprompted sync with an attacker’s Google account. Credit to Joao Lucas Melo Brasio.
[330420] High CVE-2013-6649: Use-after-free in SVG images. Credit to Atte Kettunen of OUSPG.
[331444] High CVE-2013-6650: Memory corruption in V8. This issue was fixed in v8 version 3.22.24.16. Credit to Christian Holler.
[334897] High CVE-2013-6652: Issue with relative paths in Windows sandbox named pipe policy. Credit to tyranid.
[331790] High CVE-2013-6653: Use-after-free related to web contents. Credit to Khalil Zhani.
[333176] High CVE-2013-6654: Bad cast in SVG. Credit to TheShow3511.
[293534] High CVE-2013-6655: Use-after-free in layout. Credit to cloudfuzzer.
[331725] High CVE-2013-6656: Information leak in XSS auditor. Credit to NeexEmil.
[331060] Medium CVE-2013-6657: Information leak in XSS auditor. Credit to NeexEmil.
[322891] Medium CVE-2013-6658: Use-after-free in layout. Credit to cloudfuzzer.
[306959] Medium CVE-2013-6659: Issue with certificates validation in TLS handshake. Credit to Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco, Inria Paris.
[332579] Low CVE-2013-6660: Information leak in drag and drop. Credit to bishopjeffreys.
[344876] Low-High CVE-2013-6661: Various fixes from internal audits, fuzzing and other initiatives. Of these, seven are fixes for issues that could have allowed for sandbox escapes from compromised renderers.
[344492] High CVE-2013-6663: Use-after-free in svg images. Credit to Atte Kettunen of OUSPG.
[326854] High CVE-2013-6664: Use-after-free in speech recognition. Credit to Khalil Zhani.
[337882] High CVE-2013-6665: Heap buffer overflow in software rendering. Credit to cloudfuzzer.
[332023] Medium CVE-2013-6666: Chrome allows requests in flash header request. Credit to netfuzzerr.
[348175] CVE-2013-6667: Various fixes from internal audits, fuzzing and other initiatives.
[343964, 344186, 347909] CVE-2013-6668: Multiple vulnerabilities in V8 fixed in version 3.24.35.10.
[344881] High CVE-2014-1700: Use-after-free in speech. Credit to Chamal de Silva.
[342618] High CVE-2014-1701: UXSS in events. Credit to aidanhs.
[333058] High CVE-2014-1702: Use-after-free in web database. Credit to Collin Payne.
[338354] High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets.
[328202, 349079, 345715] CVE-2014-1704: Multiple vulnerabilities in V8 fixed in version 3.23.17.18.
[352369] Code execution outside sandbox. Credit to VUPEN.
[352374] High CVE-2014-1713: Use-after-free in Blink bindings
[352395] High CVE-2014-1714: Windows clipboard vulnerability
[352420] Code execution outside sandbox. Credit to Anonymous.
[351787] High CVE-2014-1705: Memory corruption in V8
[352429] High CVE-2014-1715: Directory traversal issue
[354123] High CVE-2014-1716: UXSS in V8. Credit to Anonymous.
[353004] High CVE-2014-1717: OOB access in V8. Credit to Anonymous.
[348332] High CVE-2014-1718: Integer overflow in compositor. Credit to Aaron Staple.
[343661] High CVE-2014-1719: Use-after-free in web workers. Credit to Collin Payne.
[356095] High CVE-2014-1720: Use-after-free in DOM. Credit to cloudfuzzer.
[350434] High CVE-2014-1721: Memory corruption in V8. Credit to Christian Holler.
[330626] High CVE-2014-1722: Use-after-free in rendering. Credit to miaubiz.
[337746] High CVE-2014-1723: Url confusion with RTL characters. Credit to George McBay.
[327295] High CVE-2014-1724: Use-after-free in speech. Credit to Atte Kettunen of OUSPG.
[357332] Medium CVE-2014-1725: OOB read with window property. Credit to Anonymous
[346135] Medium CVE-2014-1726: Local cross-origin bypass. Credit to Jann Horn.
[342735] Medium CVE-2014-1727: Use-after-free in forms. Credit to Khalil Zhani.
[360298] CVE-2014-1728: Various fixes from internal audits, fuzzing and other initiatives.
[345820, 347262, 348319, 350863, 352982, 355586, 358059] CVE-2014-1729: Multiple vulnerabilities in V8 fixed in version 3.24.35.22.

 

Who do you think is going to wade through all that
Jerry

 

"If that's the only reason, why not get a VPN instead, then all your traffic will be protected instead of only the browser traffic."

Too much trouble for me.
Jerry

 

SafePay is very, very simple browser stripped from most of Chrome's functionality: No addons, no plugins except the sandboxed version of flash, no sync, no apps, etc.

You simply don't know which, if any, of those vulnerabilities apply to SP. As I said before, it is continuosly updated. What is included on those updates? I guess that those interested in this program should ask Bitdefender about the issues discussed here, we can only speculate.

 

Every time that you open SafePay free it performs a scan of all active processes a la HitmanPro. I guess that helps.

 

uuhm, the contrary seems also valid, you don't know which one do not apply to SP as many seems not really linked to addons, plugin, sync, apps, etc. I think the OP has a valid point, not sure why you undermine his findings. Looks a very good contribution to potential security issues that no one else has spotted before . Of course, some reaction from the BD developers would be desirable...

EDIT: Well, even BD staff recognise that it is a potential issue and looking into it but no easy way out due to heavy customization of Chrome. They will try to be as near as possible to the latest "safe" chrome
http://forum.bitdefender.com/index.php?showtopic=53319

 

Am I doing that?

 

That's good news, I hope they do it right.

 

BD's version doesn't seem to use sandboxing at all, there are no processes with Low or Untrusted integrity level, this seems to confirm it:
"For example, we will release in 2015 version a Safepay based on multiprocess Chromium, not the single process currently released (which caused us so many issues regarding Flash instability, for example)."

All BD processes from the standalone SafePay load some BD DLL's that are not ASLR enabled.

Addons/apps and plugins(except for PDF and Flash) are not included in Chrome, so the vulnerabilities do not apply to them. It seems likely to me that at least a majority of those vulnerabilities apply to SP.
The Flash plugin is not sandboxed btw, it uses the NPAPI plugin already installed on a users system, though it does check if it's up-to-date and is disabled by default.
We may not know what is included in the updates, but we do know it's not a newer version of Chrome/Chromium.

Good to know, I already opened a support ticket but haven't gotten a reply so far.

 

All this is really interesting and I think it's very good that BD intends to keep up with the full version of Chrome. But, once again, the possibility of being infected while on my bank's site, Paypal, Amazon, etc., doesn't make me lose sleep.

 

Actually, it doesn't matter what software the hardened browser is based on in regards to zero day exploits.

"For example, hardened browsers are ineffective against zero-day exploits."
http://resources.infosecinstitute.com/modern-online-banking-cyber-crime/

If that is your concern, use something like IE10/11 with EPM set on along with other hardening settings running under EMET 4.1. Also, all a hardened browser does is protect you from malware on your own PC.