If you use Chrome, what malware can infect you?

Discussion in 'sandboxing & virtualization' started by Brandonn2010, Oct 19, 2013.

Thread Status:
Not open for further replies.
  1. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    I've been confused by some posts I've seen lately about Chrome. They make it seem as if Chrome is inpenetrable.

    If you used Chrome, and that was your only infection vector (no USB or P2P programs), can you only be infected by downloading malware and running it thinking it was safe (trojans)? Would you be immune to things like fake AVs?

    That doesn't sound right.
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Fake AVs are installed by the user (just like trojans), nothing Chrome can do about that except blacklisting and file reputation. You still have to watch out for phishing and other online threats.

    There are exploits, but they're extremely rare (especially in real world) like all sandbox bypasses. And of course, there's little you can do against an experienced blackhat targeting you.
     
  3. guest

    guest Guest

    It's not that Chrome is impenetrable. Chrome has a good security mechanism. The experts here will explain it better, and also there are some readings here and there but I don't really have time to collect them to be presented here.

    If you intentionally execute the malware, then as you said, you will get infected no matter what. I'm not sure if fake AVs nowadays will auto execute themselves. Last time I know I needed to execute it to infect my system.
     
  4. guest

    guest Guest

    Extremely rare and overhyped by security product vendors.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Fake AVs can auto-download using javascript, but not auto-execute.
     
  6. guest

    guest Guest

    I know about auto downloads, I've encountered them a few times. It's just the auto execute that I wasn't sure about.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Although quite dated, here's some info on the effectiveness of Chrome's sandboxing and use of integrity levels on Windows (do take a good look at the Caveats!):





    -http://www.chromium.org/developers/design-documents/sandbox

    As already mentioned before by Hungry Man and others in this forum, Chrome's sandbox is stronger on Linux:


    -https://code.google.com/p/chromium/wiki/LinuxSandboxing

    There're also the options to restrict javascript and images (although rudimentary), and block plugins under the Settings menu. As well there's also the built-in phising and malware protection to offer some protection under the Privacy heading. As for its XSS protection, afaik it offers decent protection against it but no where near perfect. Unfortunately there's no anti scripting plugin available for Chrome that performs as a well as Firefox' NoScript.

    Chrome is not impenetrable, especially when taking into consideration the Caveats mentioned and its limited XSS protection, but overall its use of sandboxing, integrity levels (Windows) and kernel filtering in Linux make it very resistant to attacks.
     
    Last edited: Oct 20, 2013
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Chrome on Windows is quite secure. The sandboxing prevents an attacker from being able to interact with much of the system. The sandbox process (broker) is very small and heavily vetted, making exploitation of it difficult.

    So with much smaller attack surface post exploitation becomes very difficult.

    Still, the kernel is (mostly) exposed and a local kernel vulnerability is enough to break out.

    Chrome is much better on Linux. An attacker has no access to the kernel, or the file system, or really much else (fonts). They need to attack the broker, as kernel exploitation is too difficult - it begins to become much less clear which path of exploitation is easiest.

    Of course, on Windows, attacker can simply attack unsandboxed code like Java plugin, though Chrome *does* attempt to stop Java exploits (limiting IPC between broker and plugin) and blocks all Java by default on a page.

    There's also NaCl's sandbox. NaCl applications in Chrome (you likely have not encountered any, but there will very soon be quite a few out) run in its most restrictive sandbox (like the renderer, no access to resources or the kernel) but they also run in an environment that's secured largely through fault isolation and address space segmentation - the short story here is that C/C++ code compiled for NaCl is fundamentally more difficult to exploit than otherwise, and it's further isolated from Chrome itself, and, even if one were to escalate privileges from NaCl (by exploiting a renderer process, for example) you'd still be in an incredibly tight sandbox.

    Google also spends millions on auditing Chrome. They fuzz at ridiculous speeds, across thousands of systems, which reveals new vulnerabilities. They have independent internal audits often. They have an incredibly popular and reputable bug bounty program (that I'm coincidentally in the middle of doing some research on to publish).

    Google is also incredibly fast at patching - every sandbox escape at pwnium has been patched in under 24 hours.

    So Chrome is really one of the most secure (given its capabilities) programs one can run on a system. On Windows, less so. On Linux, definitely.

    Attackers will not spend the significant amount of time breaking out of Chrome, because they know that the bug will be fixed in hours and almost every Chrome user will be updated within 24 hours. They will for targeted attacks, of course, but you don't throw away Chrome 0days on mass exploitation unless you have something huge planned.

    Chrome attempts to protect against social engineering by blacklisting websites and files. It also warns you if a file is executable. These protections are not significant, and social engineering is still a major factor in attack against Chrome users, it's the one most often employed in the wild when an exploit page sees a Chrome user.
     
    Last edited: Oct 20, 2013
  9. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Ahh my brain hurts, but thank you!

    I don't understand about fake AVs needing to execute. A couple years ago my Mom Googled pictures of spider bites, and one link led to a fake AV that ran by itself; I'm pretty sure it didn't download an exe that she ran...(this wasn't Chrome though, I think it was FireFox).
     
  10. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Well, all the necessary details have been mentioned in the 2 excellent posts above. So, to add a simple summary....

    For exploit mitigation:

    Keep Chrome updated, OS updated, avoid or minimize the amount of code injected into Chrome, maximise the use of exploit mitigation techniques available for your OS (e.g. EMET), practice least privilege, etc

    As for social engineering, just try your best not to fall for it.
     
  11. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    Is it OK to put the Chrome exec under EMET? If so, is there anything that should be unticked?
     
  12. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    From this point of view, is there any real difference between Chrome and forks (Chromium, Dragon, etc..)?
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    I'd forgotten to mention the sandboxed Flash PPAPI plugin as well, which affords better security, as well as other benefits, than the older NPAPI architecture.

    It seems to be privacy-related:

    Google Chrome and Chromium, How Are They Different?

    Differences on the Linux platform:

    ChromiumBrowserVsGoogleChrome

    Comodo purports better privacy regarding Dragon.
     
  14. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Does Chromium have Flash and a PDF viewer built-in like Chrome? That's the main reason I use Chrome.
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    No, since they're not open-source.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    J_L is right, it uses only the Shockwave Flash NPAPI pluginn. As for the PDF viewer, I believe, but not entirely sure, that it uses a downloaded plugin that displays using what is installed on the system, such as PDF-XChange Viewer, for example if that's what is installed on the machine.
     
  17. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    Chromium comes without a flash und pdf plugin, but you can get a portable version of Google Chrome, unzip it and put the .dll files in the Chromium folder. The pdf.dll will be recognized right away, for the pepflashplayer.dll you have to modify your chromium shortcut.
     
  18. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    I don't think sandbox bypasses are rare, it's just that Google has spent millions in developing chrome, updates itself regularly, bug bounties and so forth that make it harder for a attacker.

    Ask the guys at VUPEN I bet they have a few up their sleeve, if their is enough bug bounty money on the table they usually throw the smackdown on Chrome or any other application with vulnerabilities for that matter when their is enough money in it..
     
  19. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,063
    Location:
    Netherlands
    No longer the strongest endorser on this forum of Chome anymore, not because chrome failed me, but Hungryman has taken over and Chrome is so strong I am now trying out IE11 (one has to give malware a chance) :D

    Few things one has to consider

    Chrome's sandbox is build around Intergrity levels, Alternate Desktop and Job objects. These are OS-mechanismes.

    In daily methaphores: no matter how strong you build your house (the sandbox), it will allways collapse when there are sever flaws (exploits) in the foundation (the OS).

    That said, Chrome is the sandbox with smallest vulnability window with the OS, because it is not designed around preventing attack vectors to hurt the real system, but designed around reducing the attack surface to damage/infect the system.

    In daily methapphore this makes the differences between:
    a) in trying to defend a border (hooking all system functions) and making sure nobody crosses the border line, like a application virtualisation sandbox does or ...
    b) defend a bridge (low integrity level) with a fortified gate (alternate desktop) having a small door in it (job object, allowing one user proces at a time), like a policy based sandbox does.

    But it does not protect against user errors (fake AV's orTrojan's installed through social engineering/by the user).
     
    Last edited: Oct 23, 2013
  20. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    Doesn't IE11 have a sandboxed i-frame?
     
  21. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,063
    Location:
    Netherlands
    Yes, but on win7 not as restrictive as chrome,. On Win8 it has enhanced protected mode seperating workspaces between tabs, but still not as tight a sandbox as Chrome on vista and higher.
     
  22. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
  23. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,191
    If that's true than is Chrome more secure than Sandboxie, I mean it has the smallest vulnerability window with the OS, because it is not designed around preventing attack vectors to hurt the real system, but designed around reducing the attack surface to damage/infect the system.
    I guess Chrome is more secure than Firefox and Internet Explorer and Comodo Dragon than?
    Whatever...
     
  24. Keter

    Keter Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    12
    Location:
    USA
    Why is it not as tight? I'm not challenging you, just wondering.
     
  25. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,063
    Location:
    Netherlands
    Well you were right challenging me. I have no idea about the strength of enhanced protected mode running within a tile container. So I stand corrected that statement was not based on facts or actual experience. :oops:
     
    Last edited: Nov 6, 2013
Loading...
Thread Status:
Not open for further replies.