Chrome update closes holes and fixes mouse wheel issues

Discussion in 'other security issues & news' started by ronjor, Jan 25, 2013.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
  2. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    With the amount of holes constantly found in Chrome it would be the new IE6 if not for the patching speed.
     
  4. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,824
    While I tend to agree with you, I would still rather use Chrome than IE. Though my main browser is Firefox.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Not quite. Considering that the holes are found by Chrome team/ bounty program. IE6 was having people find the holes without any bounty program, big difference.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    You think there isn't a profit to be made from selling exploits..? More so than the Chrome bounty program, as you can see from Vupen. The "bad guys" rake in the money from exploits too, hence the ton of malware made every take to take advantage of them.

    While the bounty program is a good initiative it pales in comparison to what the folks finding exploits for the most popular browser get. Add that to the fact that exploits can't go very long in the wild before being discovered (and thus patched by Microsoft) and you start to get a clearer picture.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No, my point is that 'lots of vulnerabilities found' is indicative of a good bounty program and review process, not of an insecure program.
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    My point is that IE is a bigger, and more profitable target for criminals. Criminals who's day job is looking for exploits v.s. whitehats looking for Google money in their spare time. Yet we don't see hundreds of holes patched every other month in IE (anymore). Meanwhile Chrome's trend of holes found has continued for years, where as it should have declined by now much like how IE declined as it became more secure/holes were patched.
     
  9. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    I'd rather use Chrome than IE & Chrome isn't normally my preferred browser. I still trust Chrome more for overall security.
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    Let's keep the focus on Chrome in this thread.

    Comparing software products is useless in this day and age.

    Literally every software product out there can be at risk on any given day.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The comparison seems fair, as we're discussing the context of these vulnerabilities.

    Which is why we see exploits in the wild for IE, but we don't see them pushing out dozens of fixes. That's the difference.

    Chrome's patching a bunch of vulnerabilities found by researches. IE is patching a bunch of vulnerabilities found by attackers.

    Quite frankly, I'd be happier if IE were seeing more patches issued, because it's incredibly unlikely that there are just 'less' holes.
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    While I agree that it is far better to patch vulnerabilities found by researchers vs. in the wild vulnerabilities (I never said MS shouldn't have a bounty program - totally different discussion), my point still stands as the numbers speak for themselves. I'm not sure what makes you think there aren't just less holes, IE hasn't somehow stopped being a highly profitable target.

    @Ronjor The discussion is about the high amount of holes in Chrome, not Chrome vs IE. IE is just being used as a reference as it is in a similar position (Sandboxed, high popularity browser which has gone through a lot of security focused changes) like Chrome.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Because both projects are massive and complicated, and I don't see why IE would have fewer holes. Comparing reported vulnerabilities doesn't make sense, It seems like using vulnerability statistics to determine how vulnerable an application is can be a bit nonsensical, as the only indication I get from this is that their bounty program is doing really well and the addresssanetizer project is working well.

    By comparison I don't really think it's fair to say IE is 'more secure' because it has fewer vulnerabilities, this only reflects a lack of interest by white-hats, which makes sense considering the lack of bounty program.

    Further, I don't think the number of in the wild exploits is an indicator that IE has *more* bugs than Chrome, only that it attracts more interest from blackhats.

    Essentially I think vulnerability statistics are only good for providing some context, but can't ever really be used to determine how secure a program really is.
     
  14. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Just to clarify some info posted in this thread.

    Microsoft pays much more than Google, but in the form of contests. Microsoft is incentivating researchers and white hats, but in a different route:

    Lots of other good points about why this approach is considered better by Microsoft can be read on the following links:
    - http://www.computerworld.com/s/article/9218845/Microsoft_kicks_off_250_000_security_contest
    - http://www.computerworld.com/s/arti...0_security_contest?taxonomyId=17&pageNumber=2
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, and that's an entirely valid, and, in my opinion, potentially superior method to a bug bounty (they have separate benefits, to be honest). The point is not to say that Chrome is more secure than IE, only that a lot of vulnerabilities only indicates that Chrome's bounty program is working well, and they're attracting a lot of whitehats who are submitting these vulns.
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    To me it makes sense that as software security improves, the amount of holes found should decrease. You yourself frequently talk about how hackers are moving to 3rd party software, which it due to the decrease in exploits discovered in Windows. In my opinion, the exact same thing should apply to browsers. It will never reach a point where there are no holes, because features are also added over time. But I don't see why the amount of holes discovered shouldn't decrease over time.

    Well I'm not using the vulnerability count to judge software security, I agree that doesn't make sense. But when there is a clear and obvious decrease in the amount of holes discovered month-after-month, it is obvious that code is improving. Yet, this doesn't seem to apply to Chrome?

    I've never called IE more secure than Chrome because Chrome's sandbox has been proven to be better. The *only* thing that might change that is Windows 8's IE10 Enhanced Protected Mode, but I'd rather wait and see the results as time goes by before suddenly calling IE more secure.

    I agree, but that follows onto the point I was making. Why has it gradually reduced over time for IE?

    I agree, but the Chrome numbers concern me personally. It gives me the impression that there is no progress, where there should be.
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I don't think that a decrease in found vulnerabilities means that there are just so few left to find. In fact, Chrome's blog stated that there were fewer vulnerabilities found and this was a good thing/ indicative of vulnerabilities being harder to find. I explicitly stated at the time that it was far more likely due to summer vacation.

    I guess I felt the implication of your post was that, because Chrome's being patched so much, it indicates it's insecure, and if it weren't being patched we'd be seeing these bugs exploited in the wild a-la IE6.

    A lack of a bounty program. There's also a lot more media for a Chrome vulnerability than an IE one. The code is open source as well, so it looks really great when you're applying for a job and you can show the patches themselves, the vulnerable code, etc. I'd much rather hack Chrome than IE, it would look great on my resume, and I'm not willing to turn to crime so hacking IE provides 0 direct profit for me.

    There is no progress.

    Bug bounty programs aren't about finding all of the bugs, in my opinion. They're much more about viewing trends of the bugs. I can probably find some defcon videos about this tomorrow - there was one with someone from Facebook/Mozilla/Google, and another guy, and they discussed the benefits of a bounty program. I also wrote a quick blog post about them, but I usually don't bother linking to my stuff outside of my signature. If you'd like I can post that as well.

    @Wild_Hunter

    The SDL does not belong to Microsoft. Anyone can maintain their own SDL. Google has a security team that audits code, of course. And they use addresssanetizer and other methods for finding the 'easy' ones.

    I don't think the bounty program is really there to help them find the bugs. Maybe to help find the really easy ones? But I think it's far more useful for tracking trends in the bugs themselves - what areas of code they're in, XSS vs overflow, sandbox bypass, etc.
     
  18. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    IMO:

    Microsoft applies SDL (Security Development Lifecycle) to all its latest software (including IE) AFAIK. With that, easier to find bugs and vulnerabilities are found and fixed before the new version of the product even reaches the market (but that takes time and, with that, the release cycle gets slower).

    Google, when it comes to Chrome, may be relying in its bounty program to help mitigate what the rapid release cycle of Chrome probably doesn't allow in terms of time for Google's own devs to find and fix the easier to find holes.

    Just a weak assumption..
     
  19. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    We don't need to guess anything. Microsoft SDL process guidance is available to the public: http://www.microsoft.com/security/sdl/default.aspx

    How to Adopt:

    SDL Process: http://www.microsoft.com/security/sdl/discover/default.aspx
    SDL Tools: http://www.microsoft.com/security/sdl/adopt/tools.aspx
    SDL for Agile: http://www.microsoft.com/security/sdl/discover/sdlagile.aspx
    Consulting Services: http://www.microsoft.com/security/sdl/adopt/consulting.aspx

    Why Adopt:

    Build More Secure Software: http://www.microsoft.com/security/sdl/learn/measurable.aspx
    SDL and Compliance: http://www.microsoft.com/security/sdl/learn/compliance.aspx
    Reduce Development Costs: http://www.microsoft.com/security/sdl/learn/costeffective.aspx
    Assess your Security Needs: http://www.microsoft.com/security/sdl/learn/assess.aspx
    Industry Talk: http://www.microsoft.com/security/sdl/industry/default.aspx

    Resources:

    Evolution of the SDL: http://www.microsoft.com/security/sdl/resources/evolution.aspx
    FAQ: http://www.microsoft.com/security/sdl/resources/faq.aspx
    Publications: http://www.microsoft.com/security/sdl/resources/publications.aspx
    Videos: http://www.microsoft.com/security/sdl/video/default.aspx
     
    Last edited: Jan 25, 2013
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Not sure what you mean. I know what the SDL is.
     
  21. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Can you link me to a similar amount of info about Google Chrome's SDL? Just to compare some aspects.
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Not that I can find too quickly. That's not especially surprising - as Microsoft provides information for developing secure programs so does Chrome provide information for developing secure extensions (that's much easier to find). Having seen plenty of Chrome bugs I'm quite sure they have a security team approving code, I just can't find documentation in the next few minutes of it, if that documentation exists. I may take time tomorrow to look through and find some info.

    I think I get what you were saying though - that it's a 'guess' that Chrome follows a secure development life cycle. I didn't get that.

    https://sites.google.com/a/chromium.org/dev/Home/chromium-security

    There's some quick info. Specifically https://sites.google.com/a/chromium.org/dev/Home/chromium-security/core-principles
     
  23. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    You got it ;)

    Microsoft's SDL seems to be more robust than Chrome's, going from what I could see in the available info. That isn't surprising for me - the rapid release cycle and open source nature of Chrome would at some point ask their price, which is, affect what Google invests in the internal development.
     
  24. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    I guess I just disagree with this PoV. Mainly because it A) suggests that bad guys are now preferring to be good and go after Chrome vulns instead of IE vulns B) that a bounty program would be more profitable than selling to criminals and C) That suddenly hackers have lost interest in IE due to a lack of a bounty program.

    All of which sound flawed to me. The only logical explanation for a reduction in exploits found in IE is that they are harder to find, v.s. plugins which haven't had any security oriented coding focus. Cost vs Time etc. But my point is that this doesn't just apply to IE, it applies to Windows also. Heck, even flash is starting to drop out the spotlight in favor or Java. Yet Chrome is still going.
     
Loading...
Thread Status:
Not open for further replies.