back to article Carpetbomb bug tarnishes Google Chrome

Google Chrome isn't officially out yet, but security researchers have already picked the browser apart to discover a security vulnerability. The WebKit engine used inside Chrome leaves it vulnerable to the infamous Safari carpetbombing flaw, security researcher Aviv Raff warns. The flaw stems from a combination of a …

COMMENTS

This topic is closed for new posts.
  1. Richard Stubbs
    Black Helicopters

    Why would Google push their own browser?

    With all the inevitable teething and security problems that will occur Why would Google push their own browser?

    Its simple they taken (literally) code from Firefox 3 stripped out the Gecko rendering engine and replace it with WebKit rendering engine, so its using the same tech as their upcoming Android platform (technically its more standards compliment than geko), it natively leverages their gears tech and has a nice sandbox feature (I suspect based on their GreenBorder acquisition) for when “pages go’s bad” not bringing your entire browser down just the tab.

    Now the biggest downside … it’s not extendable – no extensions – no Ad-block plus! Now let’s revisit the question again.

    Why would Google push their own browser?

    Their not worried about IE .... their worried about Firefox getting market share!

  2. Chris Young
    Paris Hilton

    Never mind carpetbombing ...

    ... try visiting a page on MSDN. If it renders many pages as badly as it does the MSDN site, most people will never use it enough to suffer an attack.

    Paris, because at least her misrenderings are kinda cute.

  3. Sandra Greer
    Coat

    It's a BETA

    They want you to find faults and vulns. Especially you MS users, who should know.

    I'm on a Mac so feel very left out.

    I'm going home to sulk...

  4. FathomsDown
    Pirate

    Re: Richard Stubbs

    Why? Have you read the EULA?:

    http://tapthehive.com/discuss/This_Post_Not_Made_In_Chrome_Google_s_EULA_Sucks

  5. Anonymous Coward
    Alert

    Mr Stubbs report to the front of the class!

    "Their not worried about IE .... their worried about Firefox getting market share!"

    Please select the correct version from the following list: they're, there or their

  6. Chris Richards
    Boffin

    @Chris Young

    Webkit is the best renderer around (passing acid 3.0 100%) - so perhaps MSDN has been designed to look right when rendered wrongly by IE, but looks wrong when rendered correctly by webkit/chrome.

  7. Tezfair
    Unhappy

    captcha

    Im getting fedup with google. Over the last few days all I get is captcha requests each time I search for something.

    Starting to use Live more and more

  8. Simon.W
    Happy

    Not forgetting the spellchecker

    No longer do I have to cut and paste between my word processor and the comments window. It checks it as you type. Fantastic.

    However, I'm going to uninstall it now until the unprompted file download issue is fixed. That was scary.

  9. Anonymous Coward
    Anonymous Coward

    says Vista only

    So who cares?

  10. Jon Press

    @Why would Google push their own browser?

    Two reasons spring to mind immediately:

    1/ To be able to collect information about all the URLs you're typing into the address bar (thanks to the helpful auto-complete feature)

    2/ To provide a platform which can later be extended to better support web-based applications (making them less clunky and more viable alternatives to things like Office...).

    And of course, just spooking Microsoft might be another reason!

  11. Darren Gallagher
    Coat

    Simon Says build a browser

    Why does the CHROME Icon look like the MB game Simon Says?

    Do I see brainwashing shenanigans by Google?

    I'm going to be amused at the amount of shite thats cascaded through it as the world goes all "Jennifer Government".

    Only time will tell. Mind you thats if we have any after this Big Bang experiment next week. Simon says, well, nothing as everything has just ceased to exist.

    Mines the one with travel Guess Who is the pocket and a flux capacitor button hole.

  12. Anonymous Coward
    Anonymous Coward

    heh

    "By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any content which you submit, post or display on or through, the services"

    Crome sounds great for enabling me and my content.

  13. Tim Spence

    Speed

    "Against this many are praising the speed"

    What? Against most sites I've tried (Facebook, internal web apps at work, etc) Chrome is many times slower than Firefox. Other people I've spoken to have also commented about how slow it seems too.

    I'm not criticising it, I actually like a lot of other things on it, and I appreciate it's a Beta, but please don't go round proclaiming it's speedy.

  14. Anonymous Coward
    Anonymous Coward

    Chrome EULA

    Google should be hung drawn and quartered for the provisions in the EULA.

    Do no evil - my arse.

  15. Justin Case

    Google is the new Tesco?

    It wants all of your internets. And it wants them now!

  16. demat
    Thumb Down

    Never mind the bugs...

    Had a test-drive this morning and was reminded how irritating browsing used to be before Adblock and NoScript.

  17. censored

    @ Tap The Hive EULA comments...

    They're ignoring the next line of the bit they highlight:

    "This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services."

    In other words, yes you do grant Google the right to use and edit whatever you upload via the browser. But Google may only do so in display and promotional activity around the Browser or whatever you uploaded to. They can use your Blogger homepage to promote Blogger. Or you YouTube video on their YouTube homepage.

    Not very scary at all.

  18. Anonymous Coward
    Flame

    Re: Why would Google push their own browser?

    Actually, the answer is much simpler that. Since Google is dependent on Microsoft, Mozilla, Opera and the like for the means to push their ads, it only makes sense for them to eliminate the middle man as much as possible. They have likely incorporated lots of code for ad-serving that won't be bypassed by helpful plugins like Adblock.

    If the answer doesn't have something to do with world domination, then we're not talking about Google.

    No reason to use the Google-approved browser when we already have good choices. I've been using Firefox since the early Mozilla betas and certainly haven't been disappointed in a long time. I don't really care about how well it renders some really screwed up smiley face test either, but I do want to block ads as I see fit and the addons like LiveHTTPHeaders and features like the Password Manager make the browser a better user experience than I can get with any of the others.

  19. Anonymous Coward
    Anonymous Coward

    It's the tactic of a predator to appear ever-so-friendly and entice you in

    Like clowns, there's something creepy about the cuddly image Google projects while it's off sifting through your online activities and reading your every email. If it can display adverts for skiing holidays at the top of an email that mentions skiing then what else about you and your emails is it analysing? Why did gMail start off requiring referrers in order to sign up? Why did they need to establish connections between all their users and then monitor their mail?

    I've often thought that whatever you might say about Bill Gates, the world would be a bit creepier if Steve Jobs had won and the world/Internet revolved around Macs. But I wouldn't trust Google as far as I could throw them and I think in a few years from now we'll look back on the good old days of XP product activation and Vista DRM...

    Can The Register please add two new devil/saint icons for Google to go alongside Bill and Steve? It's only fair, they are the approaching menace after all.

  20. Chris

    Don't be conned!!!

    I am a fan of this browser and have posted elsewhere about whats great about it, BUT

    DON'T BE CONNED BY THE TALK OF OPEN SOURCE

    Looking into this further:

    I have been duped by Google into believing Chrome was Open Source, IT ISN'T

    Google Chrome is built with open source code from Chromium.

    Chromium is the code Google have released to the open source community with the BSD license,

    Chrome built from this code has been adapted for Google commercial objectives (obviously they're not a charity)

    It comes with a pretty scary EULA (End User License Agreement)

    How many people who installed it read this bit of the EULA

    "By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any content which you submit, post or display on or through, the services. This license is for the sole purpose of enabling Google to display, distribute and promote the services and may be revoked for certain services as defined in the additional terms of those services."

    Worrying?

    Chrome (and Chromium) are also based on out of date version of Webkit, this out of date version has already been patched by Apple for their Safari browser

    Please read http://blogs.zdnet.com/security/?p=1843

    for details of the CRITICAL flaw

    I am a big fan of Chrome (see my previous posts), but until this critical flaw is fixed it's unsecure to use it

    And I will be using the open source Chromium alternative so I don't have to grant Google a royalty free license to use any content I upload/create/display using their Chrome browser

  21. Chris
    Dead Vulture

    Forget about the browser.

    You'll be wearing google shoes and pants soon.

  22. Anonymous Coward
    Stop

    Security flaw or...

    ...idiot detector?

    I just tried visiting Raff's PoC site with Chrome and it asked me where I wanted to save the download jar file to. I just hit cancel and the download never started. Anyone who saves a download they didn't request & don't know what it is & then executes it deservers all they get...

    Other than that, it looks pretty underwhelming to me, maybe when google starts publishing some apps that take advantage of it then it might get interesting...

  23. Chris Matchett

    @AC

    Is the answer 'thair'?

  24. Pensare

    MSDN not displaying.....

    Well.....

    If you use M$ sharepoint, only IE will display their "webpages" correctly. Tried Safari, Firefox 2, and Firefox 3 - all display it "wrong". Havent tried chrome yet! IF Safari doesnt.......

    Perhaps Chris Young makes a good point...

  25. Anonymous Coward
    Alert

    @ A/C

    "Please select the correct version from the following list: they're, there or their"

    Can you please sit at the desk next to Mr Stubbs, for you have failed to end your sentence with a fullstop.

  26. Anonymous Coward
    Alert

    @AC

    "Please select the correct version from the following list: they're, there or their"

    I vote for "them be" or "they be"

    At least, that be right proper grammer where I be a livin'... bo.

  27. Joel Stobart
    Gates Horns

    @Richard Stubbs

    Why there own browser... this browser is not to compete with Firefox or IE, its to compete with Air, Silverlight and Flex. And onwards to basically attack the offline office products market (MS Office). Google want to make there online apps into installable applications. (hence the gears embedded).

    If Google want to take the Enterprise they need a web browser where they can guarantee that there application wont crash within it. The couldn't do this where pron can crash the browser through another window. They have open-sauced it all so that FF and Apple can take anything (gears, process-isolation, and ramped JS speed) for them (a plus for google).

    I see this as google making a play for MS core business by making the browser a new layer in the operating system. Heavyweight boxing should be good sport this year.

    - Joel

  28. Anonymous Coward
    Anonymous Coward

    @Sandra Greer

    So you're saying there are no vulnerabilies on a Mac?

  29. K
    Thumb Up

    Needs some work, but its sexy..

    Its evolution rather than revolution.

    Chrome definitely renders many times faster than IE and Firefox. The interface is very intuitive and having the tabs in the Window border is simply genius.

    Also its important to remember it is beta, it is buggy and not all features are complete .. so people who slags it off for not featuring X, or being inferior... YOUR ALL MORONS!

  30. Law
    Gates Halo

    Seems stupid

    Google have a habit of taking forever to release improved beta's on desktop software - the rate that browsers need to constantly update for security bugs, it seems to me that Google are pretty silly getting involved in browsers, they should have stuck to plugins and kept supporting firefox. Other than having a play, I don't think I trust google enough to escort me through the web just yet - I'm only just happy enough with them managing documents and emails - besides, doesn't their terms and conditions have a clause (think it's 11) that says everything you push through the browser, no matter what, is owned by them and they can do what they want with it?!?! lol... crazy

    I've not had chance to play with it yet cos it's windows only and my XP virtual machine is for development only, so I'm guessing I have to wait! :(

    Bill - cos even he wouldn't claim to own all your data.

  31. Anonymous Coward
    Anonymous Coward

    Apple is the target here

    Apple and Google have been having a bit of an informal love-in for a few years now. Since the new browser uses the same rendering engine as Safari....do you not think that Chrome is just a replacement for Safari? The development would be taken away from Apple - relieving them of the bulk of their headaches and it would enable them to integrate their "office-type" apps with gears so that they can be run on all types of Apple machines - Apple can then concentrate on more high-value stuff.

  32. Peter Smith

    Is there a rootkit?

    Google's new uber-browser seems to run the same sort of PC takeover s/w that spyware runs. In spite of appearing nowhere on MSCONFIG Google updater has assumed a life of its own on my machine and spent the day trying to 'phone home. Next time I sample Google's offerings I'll do it on a VM.

  33. This post has been deleted by its author

  34. Anonymous Coward
    Anonymous Coward

    @Richard Stubbs

    Worried about Firefox gaining market share? Unfortunately nobody is really worried about Firefox gaining a large market share because it won't. "Unfortunately" because it is better than the "market" leader, but then, what isn't. Opera, Firefox, Safari, Epiphany, you name it they're all better than IE.

    However IE will always have the lion's share of the market as long as Windows has the lion's share of the desktop OS market. The vast majority of PC users in the world today are not technical and simply are not interested in changing browsers. They will use whatever is thrown at them.

    Google, however, could overtake Firefox for second position simply because almost all those none technical users use Google as their search engine. Now if they can push their browser hard enough people will use it, especially if they promise it will provide a better experience with Google, Youtube, Google Earth and the rest.

    As for what Google are scared of, they are really scared of people coming up with ways of blocking their adverts. Pop up blockers, banner blockers and the like are only the thin end of the wedge, developers are working on all sorts of ways of weeding out adverts from internet pages. Killing the sponsored links in search engines? It's possible.

    Now Google want a browser that won't be extensible so that they can push all their ad crap out at none technical users. They aren't scared of Firefox. They're scared of IE and every other browser that they have no conteol over.

  35. Sarah Bee (Written by Reg staff)

    Re: Forget about the browser.

    Shoogles?

  36. Daniel
    Paris Hilton

    Never mind carpetbombing ...

    ... it's certainly going to make it faster to watch online carpet *munching*.

    And that, after all, is what the interwebs are really for.

    Paris. Do I really need to explain?

  37. Tom Sparrow
    Happy

    not such a big problem

    I tried the proof of concept - popped up a 'save file as' window (duly cancelled, no file downloaded), so no exploit here.

    First thing I did was wade through the (very minimal) options. , turned on prompt for location to save downloads.

    Not a difficult bug to work around, even from a user perspective

    And I've found it a lot faster than firefox, but with no plugins and the ever present feeling of being watched I don't think I'll be swapping permanently.

  38. Parax

    Re:Why would Google push their own browser?

    as Joel eluded earlier.. my money is on this:

    Google are pushing apps, chrome enables you to put an app directly onto your desktop. (well a menuless/tabless browser frame anyway pretend its an app!)

    by making thier web apps work better, they are nearing in on the competition. it has never been in ms's interests to make a speedy efficent browser as thier web content sucks [strike that] blows like Gustav!

  39. Peter Smith

    Is there a rootkit?

    No. It's a scheduled task that runs when the machine is idle and is called GoogleUpdateTaskUser. Very sneaky. I found the Apple one when I was nosing about too - that must have come with Safari. I'm starting to wonder if MS is as bad as we all think. I just wish I could get Dreamweaver for Ubuntu and I'd be outta here.

  40. Anonymous Coward
    Thumb Down

    @Needs some work, but its sexy..

    "YOUR ALL MORONS!"

    Hooray for irony! Have you been to school? Learn anything about punctuation? Bloody stupid question these days no doubt.

  41. Anonymous Coward
    Flame

    @ Sandra Greer

    Every bloody Google product is beta. Even after they've been out a few years.

    Beta in google terms = release for others (except for, perhaps MS, where release = beta).

  42. Alexander
    Paris Hilton

    And you guys like ad's/

    Tried it, laughed at it, unistalled it. STALIN would be proud of the EULA, no ad blocker come on basic101 browser plugins, it has a habit of dying on random sites the usuall the browser come in tow with the usuall google crap...I mean who use's this stuff.

    And it might be marginaly quicker in places(the ones that dont crash) so where is the killer function that makes it better than other browsers?...oh right it has not got one.

    Paris: because at least she has some functions i want to play with.

  43. Dave Murray Silver badge
    Coat

    @Simon.W

    Seamonkey and Firefox have spell checked what you type in memo and edit fields for ages. And they are open source, don't eat your copyright materials and don't include a carpetbombing bug!

  44. Simpson

    why??

    1. As a container app for the various google services. The "final beta" will probably have permanent tabs for gmail google apps, etc. Even if it never gets to the point where all web pages render as expected, I'm sure that the google services will all work very nice. It is iGoogle v.2.

    2. Wireless auction redux. They don't plan to win (or enter) a browser war. Chrome is a vehicle to get the v8 javascript engine out there. They have licensed v8 under the bsd license. So any browser can use it without going free software, even IE.

    If other browsers were to begin using the v8 js engine, good for google.

    Then the Oompa-Loompas can focus chrome as just the google services container.

    If chrome were to grab a large market share, that's not too bad for google either.

  45. Anonymous Coward
    Anonymous Coward

    @AC Google Beta

    "Every bloody Google product is beta. Even after they've been out a few years.

    Beta in google terms = release for others (except for, perhaps MS, where release = beta)."

    Google have reaslised that "beta" = "no warranty" so there is no stable release of virtually any Google product other than the search engine, and if they'd thought of the beta thing before they relased their search engine that would be in still be in beta too.

    However they have a problem on the horizon with corporates. More and more large corporation have a "no betas" policy, and even those that don't are signing up to standards that include a "no betas" clause.

  46. TimM
    Dead Vulture

    Speed and other things

    Sorry, it's lightning fast from what I've tested so far compared to Firefox, especially on slower machines. It's on a par with IE for speed, which is impressive considering IE has the benefit of being essentially embedded in the OS.

    There are obvious bugs and omitted features though, but from what I've seen so far I like. Very much interested in seeing how well the multi-process architecture works as a frequent complaint of all browsers I've used has been where a site can take down the entire browser. Was also expecting launching new tabs to be slow if it's launching a new process, but doesn't seem so.

    Oh and the EULA is a fuss about nothing. It is blindingly obvious it's a cut and paste from the other services, and likewise that they are talking about *their* services (states as much at the beginning). There's no chance would stand up in court when it comes to assigning rights and copyright to anything you do on the net. Basic statutory rights and UK & EU law wipe it out for a start.

    Sadly of course the media seem to have decided there's little else they can initially bash Google with so they'll put 2 and 2 together and get 5.

    I'm sure the EULA will be fixed up by the time they launch anyway.

  47. Anonymous Coward
    Anonymous Coward

    Application Browser

    Yes, I'm worried about the EULA but I'm not sure that Chrome is targeted as a real browser.

    Performance loading normal web pages seems (to me) to be broadly similar across IE8, Firefox and Chrome.

    The big difference is when you start using web based applications like SalesForce, Google Docs, etc. All the real web applications I use are much slicker.

    I think that Google want to own all our apps and that Chrome is squarely targeted at running web application so they can achieve this.

  48. Anonymous Coward
    Anonymous Coward

    Oh noes!

    They're ruined that beautiful, simple homepage with a link!

  49. Al Jones

    @Not forgetting the spellchecker

    Firefox has provided spell-checking in text boxes for a long time.

    (Interestingly, I notice that Firefox isn't in the dictionary!)

  50. James Butler

    I'm with TimM

    Very fast rendering and some details need to be worked out for this beta, but very promising.

    Some of the comments on these Chrome-related articles seem to be coming from idiot users, so I'll direct this to the IT professionals out there who should know better ...

    Did you read up on Chrome before you installed it for your "testing"? If you had, you would know what the real killer features are with this WebKit build. Mostly, they are a radical rethinking of how an application works, including separate processes for each tab (instance), a highly-modified open sourced Javascript rendering engine (V8), a reimagining of the nature of permissions regarding things like access and execution, and much more.

    As a quick example; the "carpetbombing bug" mentioned in this article would behave completely differently if one were using Safari (or whatever) on XP, because Safari is a slave to Windows permissions as they relate to standard web browsers. Not only would you be able to download that .JAR file, if you were so easily duped, but when it executed, it would be able to take advantage of Windows' permissive nature and work its way down through the OS structure, gaining system powers as it went.

    With Chrome, the download and execution are still available to that particular user account, but there the similarity ends. The downloaded file is owned by that user exclusively, and will not be able to breach further permissions structures in order to fully infect the system. That user would be pwnd, but the system would remain aloof.

    Yet another reminder to use a Limited User account whenever running Windows. It won't do you any good if you use IE or FF or Opera or Safari, but Chrome at least offers some hope of protection.

  51. Anonymous Coward
    Happy

    OK its a Beta

    But its already better than anything else I've been using lately ...

  52. charlie
    Alert

    curious

    I'm no geek - help, how did I end up here??? but without any questions google helpfully downloaded and installed Chrome on my machine despite not being logged in as the admin. A very devilish step to get all us office-junkies playing without having to raise our heads above the parapet...

    Personally, I think the scroll is took quick, I'm used to the platonic drift of FF and the latent drag of IE.

  53. Ed

    @Not forgetting the spellchecker

    Spell checking

    BAH let em missreed me typoos

  54. Anonymous Coward
    Thumb Down

    Re:not such a big problem

    The minimal option has also a minimal control about cookies.

    'Restrict how third parties cookie can be used" - what is that? seems to still accept all of them.

    Now, I set my default search to scroogle (url http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=%s) only browse sites in my LAN and still the infamous google ID cookie appears every time you start the browser. It does not matter if you delete it , it comes back after while.

  55. Joseph Gregory
    Thumb Down

    All left

    Looking at my website in Chrome, I find that everything now hugs the left margin even though the code says to centre it all. It simply can't interpret layout code.

    This is a really basic flaw. I know its a Beta but this is a Bad Beta.

This topic is closed for new posts.

Other stories you might like