If you use Chrome, what malware can infect you?

I've been confused by some posts I've seen lately about Chrome. They make it seem as if Chrome is inpenetrable.

If you used Chrome, and that was your only infection vector (no USB or P2P programs), can you only be infected by downloading malware and running it thinking it was safe (trojans)? Would you be immune to things like fake AVs?

That doesn't sound right.

 

Fake AVs are installed by the user (just like trojans), nothing Chrome can do about that except blacklisting and file reputation. You still have to watch out for phishing and other online threats.

There are exploits, but they're extremely rare (especially in real world) like all sandbox bypasses. And of course, there's little you can do against an experienced blackhat targeting you.

 

It's not that Chrome is impenetrable. Chrome has a good security mechanism. The experts here will explain it better, and also there are some readings here and there but I don't really have time to collect them to be presented here.

If you intentionally execute the malware, then as you said, you will get infected no matter what. I'm not sure if fake AVs nowadays will auto execute themselves. Last time I know I needed to execute it to infect my system.

 

Extremely rare and overhyped by security product vendors.

 

Fake AVs can auto-download using javascript, but not auto-execute.

 

I know about auto downloads, I've encountered them a few times. It's just the auto execute that I wasn't sure about.

 

Although quite dated, here's some info on the effectiveness of Chrome's sandboxing and use of integrity levels on Windows (do take a good look at the Caveats!):

-http://www.chromium.org/developers/design-documents/sandbox

As already mentioned before by Hungry Man and others in this forum, Chrome's sandbox is stronger on Linux:

-https://code.google.com/p/chromium/wiki/LinuxSandboxing

There're also the options to restrict javascript and images (although rudimentary), and block plugins under the Settings menu. As well there's also the built-in phising and malware protection to offer some protection under the Privacy heading. As for its XSS protection, afaik it offers decent protection against it but no where near perfect. Unfortunately there's no anti scripting plugin available for Chrome that performs as a well as Firefox' NoScript.

Chrome is not impenetrable, especially when taking into consideration the Caveats mentioned and its limited XSS protection, but overall its use of sandboxing, integrity levels (Windows) and kernel filtering in Linux make it very resistant to attacks.

 

Chrome on Windows is quite secure. The sandboxing prevents an attacker from being able to interact with much of the system. The sandbox process (broker) is very small and heavily vetted, making exploitation of it difficult.

So with much smaller attack surface post exploitation becomes very difficult.

Still, the kernel is (mostly) exposed and a local kernel vulnerability is enough to break out.

Chrome is much better on Linux. An attacker has no access to the kernel, or the file system, or really much else (fonts). They need to attack the broker, as kernel exploitation is too difficult - it begins to become much less clear which path of exploitation is easiest.

Of course, on Windows, attacker can simply attack unsandboxed code like Java plugin, though Chrome *does* attempt to stop Java exploits (limiting IPC between broker and plugin) and blocks all Java by default on a page.

There's also NaCl's sandbox. NaCl applications in Chrome (you likely have not encountered any, but there will very soon be quite a few out) run in its most restrictive sandbox (like the renderer, no access to resources or the kernel) but they also run in an environment that's secured largely through fault isolation and address space segmentation - the short story here is that C/C++ code compiled for NaCl is fundamentally more difficult to exploit than otherwise, and it's further isolated from Chrome itself, and, even if one were to escalate privileges from NaCl (by exploiting a renderer process, for example) you'd still be in an incredibly tight sandbox.

Google also spends millions on auditing Chrome. They fuzz at ridiculous speeds, across thousands of systems, which reveals new vulnerabilities. They have independent internal audits often. They have an incredibly popular and reputable bug bounty program (that I'm coincidentally in the middle of doing some research on to publish).

Google is also incredibly fast at patching - every sandbox escape at pwnium has been patched in under 24 hours.

So Chrome is really one of the most secure (given its capabilities) programs one can run on a system. On Windows, less so. On Linux, definitely.

Attackers will not spend the significant amount of time breaking out of Chrome, because they know that the bug will be fixed in hours and almost every Chrome user will be updated within 24 hours. They will for targeted attacks, of course, but you don't throw away Chrome 0days on mass exploitation unless you have something huge planned.

Chrome attempts to protect against social engineering by blacklisting websites and files. It also warns you if a file is executable. These protections are not significant, and social engineering is still a major factor in attack against Chrome users, it's the one most often employed in the wild when an exploit page sees a Chrome user.

 

Ahh my brain hurts, but thank you!

I don't understand about fake AVs needing to execute. A couple years ago my Mom Googled pictures of spider bites, and one link led to a fake AV that ran by itself; I'm pretty sure it didn't download an exe that she ran...(this wasn't Chrome though, I think it was FireFox).

 

Well, all the necessary details have been mentioned in the 2 excellent posts above. So, to add a simple summary....

For exploit mitigation:

Keep Chrome updated, OS updated, avoid or minimize the amount of code injected into Chrome, maximise the use of exploit mitigation techniques available for your OS (e.g. EMET), practice least privilege, etc

As for social engineering, just try your best not to fall for it.

 

Is it OK to put the Chrome exec under EMET? If so, is there anything that should be unticked?

 

From this point of view, is there any real difference between Chrome and forks (Chromium, Dragon, etc..)?

 

I'd forgotten to mention the sandboxed Flash PPAPI plugin as well, which affords better security, as well as other benefits, than the older NPAPI architecture.

It seems to be privacy-related:

Google Chrome and Chromium, How Are They Different?

Differences on the Linux platform:

ChromiumBrowserVsGoogleChrome

Comodo purports better privacy regarding Dragon.

 

Does Chromium have Flash and a PDF viewer built-in like Chrome? That's the main reason I use Chrome.

 

No, since they're not open-source.

 

J_L is right, it uses only the Shockwave Flash NPAPI pluginn. As for the PDF viewer, I believe, but not entirely sure, that it uses a downloaded plugin that displays using what is installed on the system, such as PDF-XChange Viewer, for example if that's what is installed on the machine.

 

Chromium comes without a flash und pdf plugin, but you can get a portable version of Google Chrome, unzip it and put the .dll files in the Chromium folder. The pdf.dll will be recognized right away, for the pepflashplayer.dll you have to modify your chromium shortcut.

 

I don't think sandbox bypasses are rare, it's just that Google has spent millions in developing chrome, updates itself regularly, bug bounties and so forth that make it harder for a attacker.

Ask the guys at VUPEN I bet they have a few up their sleeve, if their is enough bug bounty money on the table they usually throw the smackdown on Chrome or any other application with vulnerabilities for that matter when their is enough money in it..

 

No longer the strongest endorser on this forum of Chome anymore, not because chrome failed me, but Hungryman has taken over and Chrome is so strong I am now trying out IE11 (one has to give malware a chance)

Few things one has to consider

Chrome's sandbox is build around Intergrity levels, Alternate Desktop and Job objects. These are OS-mechanismes.

In daily methaphores: no matter how strong you build your house (the sandbox), it will allways collapse when there are sever flaws (exploits) in the foundation (the OS).

That said, Chrome is the sandbox with smallest vulnability window with the OS, because it is not designed around preventing attack vectors to hurt the real system, but designed around reducing the attack surface to damage/infect the system.

In daily methapphore this makes the differences between:
a) in trying to defend a border (hooking all system functions) and making sure nobody crosses the border line, like a application virtualisation sandbox does or ...
b) defend a bridge (low integrity level) with a fortified gate (alternate desktop) having a small door in it (job object, allowing one user proces at a time), like a policy based sandbox does.

But it does not protect against user errors (fake AV's orTrojan's installed through social engineering/by the user).

 

Doesn't IE11 have a sandboxed i-frame?

 

Yes, but on win7 not as restrictive as chrome,. On Win8 it has enhanced protected mode seperating workspaces between tabs, but still not as tight a sandbox as Chrome on vista and higher.

 

OK, thanks.

 

If that's true than is Chrome more secure than Sandboxie, I mean it has the smallest vulnerability window with the OS, because it is not designed around preventing attack vectors to hurt the real system, but designed around reducing the attack surface to damage/infect the system.
I guess Chrome is more secure than Firefox and Internet Explorer and Comodo Dragon than?
Whatever...

 

Why is it not as tight? I'm not challenging you, just wondering.

 

Well you were right challenging me. I have no idea about the strength of enhanced protected mode running within a tile container. So I stand corrected that statement was not based on facts or actual experience.