Is Google Chrome truly that vulnerable?

Discussion in 'other anti-malware software' started by CoolWebSearch, Jul 6, 2014.

  1. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,216
    Supposedly there have been at least over 1000 vulnerabilities inside Chrome and inside Chrome's extensions, Sandboxie can protect against these and all that will be found in the future (?):

    http://web.nvd.nist.gov/view/vuln/search-results?query=chrome&search_type=all&cves=on

    So if Google Chrome is that vulnerable, why than is it considered as extremely secure?
    It doesn't make any sense does it?
    Maybe someone else could drop in and explain this and explain what is shown on this link?
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,085
    Every software you run will have vulnerabilities sooner or later - especially browsers - and Chrome is no exception. I believe that most of those vulnerabilities were publicly disclosed after they were patched and were not used in zero days attacks on Chrome's users.
    I agree that Sandboxie can be used as additional layer of security but quickly checking through that list I didn't find many vulnerabilities that would allow attackers to bypass Chrome's sandbox.
    IMO Chrome can be considered secure compared to other browsers. It uses system built-in security mechanisms (Windows Vista and above) and it has good sandbox.

    You can use Sandboxie for additional protection if you want, but I don't use it. For me Chrome's and Windows 8 built-in security mechanisms are enough.
     
  3. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,216
    Thanks, that's a relief, I have to admit.
    Plus there was that win32k.sys vulnerability (it was patched by now) that SBIE 3 and 4 to my knowledge cannot/could not fix, no matter how well configured, and yet Chrome could protect against that win32k.sys when operating system was still not patched.

    But I'm interested in 2 things: first, what do and how do you configure your windows 8 settings in its built-in mechanisms?

    and 2: why people hate Google Chrome it it because of the privacy issue? I know for sure that Peter2150 hates it, for example.

    And btw, can I use Malwarebytes Anti-Exploit with Google Chrome and Mozilla Firefox?

    Plus, does SBIE4 protect against exploits, even when tightly configured?
    I will buy Malwarebytes Anti-Exploit just because of these reasons (regardless if tightly configured SBIE4 protects or does not protect against exploits).
    Big thanks in advance, again.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,085
    Chrome uses Windows 8 built-in mechanisms by default, you don't have to configure anything. IMO most people don't like it because of privacy concerns. You can modify some privacy related options in Advanced settings section.
    In my installation I applied Chrome group policy templates to prevent extensions installations and some other security tweaks.

    Can't answer you about Chrome+MBAE or Chrome+MBAE+SBIE setup, as I never used them together.
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    That is a huge because. Most people do not even know, that according to Google EULA, Google can read their emails, go through their online stored files or through their browsing history and use those information for whatever purpose it wants, just like recent Facebook mood study, that people agreed to by accepting its EULA. :isay:
     
  6. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    From my understanding: just because there is a CVE for Chrome, it doesn't necessarily mean that it constitutes a sandbox escape and a full system compromise. For what it's worth it could just mean the ability to achieve remote code execution in a Chrome process, along with all the restrictions that come with it. Unless these restrictions are bypassed, the mere RCE doesn't give the attacker very much.

    It would be nice if someone, who is educated in these things, could verify or correct this assumption.
     
  7. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    424
    Location:
    Canada
    Chrome and MBAE work fine on my computer.
     
  8. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    More FUD. The real crooks are the NSA/DHS that put out that report.
     
  9. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    You bringing up a NSA conspiracy is FUD, this is just about CVEs.
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I am a browser junkie, so I use several different browsers from time to time (not all at 1 time, however). Ergo, I use MBAE premium which enables me to add coverage for "off-brand" browsers, as well as cover my other internet-facing apps, such as email clients, ftp clients, etc. MBAE works smoothly with all of these.

    As for Chrome - I use Slim-jet - a Chromium-based browser. (I prefer not to use Chrome itself since I have heard that it is the trigger for a Klingon death ray.)
     
  11. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    emet it
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    This.

    Also the amount of exploits found says more about how well the bug bounty system is working than anything else, assuming you're keeping track of all the money being given out on the blog chrome release posts.
     
  13. harshisthere

    harshisthere Registered Member

    Joined:
    Aug 8, 2011
    Posts:
    84
    Firefox and Internet Explorer has more results than Chrome in that Website.
     
  14. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,216
    Fleischmann here is the post I made on AppGuard forum about what posters like you and Malwar say:

    I also remember you said the following:
    "Exploit a Chrome tab and you have extremely restricted file-system and registry access (not even read and write for both in all cases), you can't create new processes, can't read the clipboard and many other things. Exploit an Anti-Virus and you have admin rights, lol."

    You also said:
    "From my understanding: just because there is a CVE for Chrome, it doesn't necessarily mean that it constitutes a sandbox escape and a full system compromise. For what it's worth it could just mean the ability to achieve remote code execution in a Chrome process, along with all the restrictions that come with it. Unless these restrictions are bypassed, the mere RCE doesn't give the attacker very much.
    It would be nice if someone, who is educated in these things, could verify or correct this assumption."

    so, what do you think?

    Malwar also said: Sandboxie's read and write protections are for keeping programs in the sandbox from reading and writing, Chrome has no read or write to the whole Windows file system.

    Malwar says that: "Most of those vulnerabilities were publicly disclosed after they were patched and were not used in zero days attacks on Chrome's users.
    Sandboxie can be used as additional layer of security but quickly checking through that list I didn't find many vulnerabilities that would allow attackers to bypass Chrome's sandbox."

    Supposedly, Chrome can be considered secure compared to other browsers. It uses system built-in security mechanisms (Windows Vista and above) and it has good sandbox-but I still don't believe it is the most secure web browser (far from it) and this is why I use AppGuard and Sandboxie.

    Malwar says that IE (Internet Explorer) 11 with Protected mode plus Smart screen filter (I think) only sandboxes iframes Chrome sandboxes everything and Chrome patches faster every sandbox escape has been patched in under 24 hours. IE has about a 99 percent malware blocking rate in realtime, Chrome has about a 84 percent rate and it warns about downloading .exe files, The blocking rate is NOT the amount of malware the sandbox blocks.''

    So what is true and what is a myth?
    Hopefully someone with vast knowledge about this can shed some light...
    Big thanks in advance to all.
     
  15. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    I quit worrying about this a couple of days ago and now I just use the snake oil which gives me the least skin irritations. The people who could really answer these questions don't participate in forums like this anyway (this is not meant as a critic against this forum or its community).
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Fleischman...:thumb:

    Bo
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Number of vulnerabilities found isn't really an indication of security. It's an indication that people are looking at the project.

    Would you rather use a project where no whitehats are actively trying to hack it and break it to try and make it better? Or the project with 0 vulnerabilities found because no one cares to look at it.
     
  18. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,216
    I must admit, these are very strong arguments, and if you don't mind if I ask you what is your security setup besides Google Chrome?

    Also, are those statements above about Google Chrome true or false, since you seem to be very experienced with Chrome?
    And what is your opinion about what people say that Google Chrome is just another spyware-privacy issues?

    Also, there are posters here who truly hate Google Chrome just because it's a huge company, I won't name them, and I don't think it would be fair at all to name them, but i have to say for myself that I'm concerned-I just don't trust big companies, the question is can we trust Google Chrome, if not for privacy issues than at least for security issues?

    Still it doesn't answer the question about Sandboxie4 where does it stand compared to Google Chrome, why none tests Chrome and Sandboxie to see what's the difference...
    I'm thankful you dropped inside this thread.

    Just for the reacord, these vulnerabilites (1111 of them) are the main reasons why on Sandboxie forums think that Google Chrome should be running sandboxed/under Sandboxie's supervision.
    What do you think about this, Hungry Man?
     
    Last edited: Aug 19, 2014
  19. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    If you don't mind, I would like to step into this conversation and say a few thing's.

    You say you don't trust big companies right? Well, are you running Windows? If so, you're running an OS that comes from a big company (Microsoft).

    My advice to you, is that if you want to use a browser, such as Chrome, apply tweaks that lower privacy/security issues (If you want me to post, I will) and apply some type of exploit tool to prevent vulnerabilities - I recommend EMET, but if you want to try something else, you can always go with HitmanPro.Alert or Malwarebytes Anti-Exploit.

    Now, from what I said before, if you're running Windows (from a big company), you can apply the same techniques as you would with Chrome. Tweak thing's for lower risk of privacy and or security and harden thing's with a tool, such as EMET.

    See, I use to be one of those people who would of never used Chrome, but with a little research and some tweaks on my part, I find it a very reliable and secure web browser.
     
  20. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    First: As Hungryman said, it is better to have a lot of whitehats scrutenizing your code with a bug bounty. This will get out the mistakes made by developers and missed by testers, simply because you can't test all theoretical logic/environment situations.

    Second: An exploit has to be actived by processing some active content (JavaScript, Flash, PDF, etc) in your browser, for instance by visiting a bad-URL. Like Malware told you IE and Chrome have the best URL and reputation filters. Tyrian mentioned that with some tweaks you can reduce the URL-attack surface. Simply setting flash and pdf on click to play and allowing javascript only from certain high level domains. Just have a look at malwaredomainlist, by allowing javascript from ORG, COM and NL (I live in Netherlands) domains, the number of URL's able to do something through javascript is reduced to below 5% of list of malwaredomainlist.

    Third: Better take a look at this http://www.cvedetails.com/vendor/1224/Google.html (select on Product Chrome, application). Important to look at the "killer" colums: gain information and gain priveledges. Others like overflow and code exection are potential show stoppers also, but changing the logic, in most cases does not create a predictable and exploitable intrusion.

    Back to CVE of Chrome: Number of exploits in 2012 shows 2 (click on column #exploits and 2012), you wll see this http://www.cvedetails.com/vulnerability-list/vendor_id-1224/year-2012/hasexp-1/Google.html Now read to what those "chrome" exploits refered to: first was Chrome on android, second was tunnelblick (a VPN for OSX). So not all vulnabilities relate to the "Chrome" you have running on your specific OS.

    So not all vulnabilities are exploitable and not all vulnabilities refer to the target platform you use. Hopes this makes you sleep better
     
    Last edited: Aug 19, 2014
  21. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,216
    Just because I don't trust big companies and none should it doesn't mean I don't use their products, this is a matter of survival, not a matter of what I truly want-that's a key difference when we talk about big companies in general, when it comes to windows, I'd never get the job, if I didn't learn how use windows in the first place, the key differences are also that I like many other people who don't want to use bi companies' products are simply forced to choose, it's not what they really want.

    The same can be said for windows company, I'd be the happiest man if I didn't have the computer, but if I do that I would get fired and up on the street as on of the homeless people, because everything what it's done today it's done through comoputer-fact-again this means I'm forced to decide, it's not my own decision, but enforcement from big companies.

    Peter and Bo Elam definitely hate Google Chrome for example, I know reasoning from Bo Elam which very reasonable (and it has nothing to with privacy or big comapnies), but I don't know anything about Peter, it doesn't matter, it only means that I'm not alone.

    For some reason I trust Mozilla Firefox more than Google Chrome.

    Anyway, thanks for your tips regarding this, but still it doesn't answer the question about Sandboxie4 where does it stand compared to Google Chrome, why none tests Chrome and Sandboxie4 to see what's the difference...
    That's all, the best thing for me is to shut up.
     
  22. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,216
    Thank you for reply and tips, but here is the thing:
    Just for the reacord, these so many vulnerabilites (1111 of them) are the main reasons why on Sandboxie forums think that Google Chrome should be running sandboxed/under Sandboxie's supervision.
    What do you think about this, Windows_Security?
     
  23. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,216
    I guess Google Chrome is not very secure on Windows XP, since XP does not have integrity levels. I'm using on my new Windows 8.1, but I guess I need to uninstall Chrome on my XP because of security issues (since XP does not have integrity levels), or I should simply running Chrome sandboxed (by Sandboxie).
    What do yo all think?
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,085
    Integrity level is only one part of Chrome's sandbox. Other restriction still apply on Windows XP also. Here you can read more about Chrome's sandbox: http://www.chromium.org/developers/design-documents/sandbox. If I'm not mistaken Chrome is the only browser that uses sandbox on Windows XP.
    If I would choose to run it under Sandboxie on Windows Xp, then I would use 3.76 version of SBIE.
     
  25. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    No, I see what you mean

    If my last post seemed a bit rude, I apologize, my intentions were not meant in that way.

    And no, I don't think you should shut up, because your questions, answers and opinions matter, just as any other.

    As far as Sandboxie vs Chrome, this is the way I look at it.

    Chrome Sandbox = Run's in a restricted environment, Prevents arbitrary code that may cause damage to the system, Helps prevent exploits from reading or writing any information from the system (Sounds perfect, but not always the case)

    Differences

    While Sandboxie does the same, You can restrict the execution of processes that are associated with said Sandbox, as well as restrict access to any Internet Access that a process may ask for, etc.

    Basically with Chrome you get the built in Sandbox, with Chrome and Sandboxie, you not only get the Chrome built in Sandboxing features, But you end up getting more with Sandboxies extensive set of options, that can be tweaked and hardened to your liking.

    To me, the combo is far more superior than using just one solution

    Of course, this is my own personal opinion.

    Basically...

    Chrome for it's built in sandbox

    Coupled with..

    Sandboxie to further restrict to my needs (Which enables me to manually tweak and handle on what I see)

    I don't know, that is my take on it, I am sure some will disagree.
     
    Last edited: Aug 19, 2014