If we see theoritically, Chrome should be more secure than other browsers because, rather than being a single-threaded application, each tab is handled by its own sandboxed process.
Google (NSDQ: GOOG)'s Chrome browser is only a day old, but security researchers already have found vulnerabilities that can be exploited.
According to a report published by ZDNet, security researcher Aviv Raff has found that he can combine a flaw in the open source WebKit engine with a Java bug to dupe Chrome users into downloading executable files.
More Internet Insights
White Papers
Small Business Web Design Guide Part I: SEO Tips for Small Business Websites
Simple Tricks To Ace the Subnetting Portion of Any Certification Exam
Apple, which uses WebKit in its Safari browser, fixed this flaw with its Safari 3.1.2 browser patch. Chrome uses an older version of WebKit that has not been repaired.
Another security researcher, Rishi Narang, claimed to have found a way to crash Chrome with a malicious link.
"An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27," Narang explained on the Evil Fingers Web site. "A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the Chrome crashes with a Google Chrome message window 'Whoa! Google Chrome has crashed. Restart now?' "
And someone identified as "Nerex" has posted proof-of-concept JavaScript code on Milw0rm.com that supposedly "allows files (e.g., executables) to be automatically downloaded to the user's computer without any user prompt."
This exploit appears to be similar to the one identified by Raff.
In theory, Google Chrome should be more secure than other browsers because, rather than being a single-threaded application, each tab is handled by its own sandboxed process with its own memory space. Like a multiengine plane, Chrome is designed not to crash following the loss of a single engine.
"[Chrome] utilizes technology that has historically been associated with operating systems to create isolation between different browser tabs with the aim of improved crash-resistance and security," IDC analyst Al Hilwa said in a research note. "The security capabilities also ensue from a new sandbox model that strengthens what is typically available today from other browsers."
But Chrome is beta software and remains a work in progress.
Hilwa observes that while Google's security architecture isolates the browser's kernel from attacks on rendering-engine vulnerabilities, it doesn't extend this same protection to plug-ins like Java, Flash, and Silverlight.
Mozilla software engineer Robert O'Callahan in a blog post said that while Chrome looks promising, Google's coders still have challenges to overcome. "There are some interesting architectural problems they haven't solved yet, especially with the process separation model, especially with regard to windowless plugins, and also Mac," he said. "These are problems that will be encountered by anyone doing process separation so it will be interesting to see how that goes."
Take a spin through our Google Chrome image gallery and have a look at the browser that's being touted as a game-changer.
Friday, September 5, 2008
Thursday, September 4, 2008
Speed test: Google Chrome Wins the race and beats Firefox, IE, Safari
The Google engineer, Lars Bak who was the technical leader for Chrome's V8 JavaScript engine, said at the launch event Tuesday he's confident Chrome is "many times faster" than the rivals at running JavaScript, the programming language that powers Google Docs, Gmail, and many other Web applications.
But when pressed for specifics, he said that you have to try them by yourself. So I just downloaded that right away and did some reaserch on that.
Google offers a site with five JavaScript benchmarks. On each one of these tests, Chrome clearly won the competition.Lets hope benchmarking experts and developers will weigh in with comments about how well these tests represent true JavaScript performance on the Web--either for ordinary sites or for rich Web apps.
Here's the site description of the speed tests:
• Richards: OS kernel simulation benchmark, originally written in BCPL by Martin Richards (539 lines).
• DeltaBlue: One-way constraint solver, originally written in Smalltalk by John Maloney and Mario Wolczko (880 lines).
• Crypto: Encryption and decryption benchmark based on code by Tom Wu (1,689 lines).
• RayTrace: Ray tracer benchmark based on code by Adam Burmister (3,418 lines).
• EarleyBoyer: Classic Scheme benchmarks, translated to JavaScript by Florian Loitsch's Scheme2Js compiler (4,682 lines).
Google's overall score is head and shoulders above the competition for executing JavaScript.
But when pressed for specifics, he said that you have to try them by yourself. So I just downloaded that right away and did some reaserch on that.
Google offers a site with five JavaScript benchmarks. On each one of these tests, Chrome clearly won the competition.Lets hope benchmarking experts and developers will weigh in with comments about how well these tests represent true JavaScript performance on the Web--either for ordinary sites or for rich Web apps.
Here's the site description of the speed tests:
• Richards: OS kernel simulation benchmark, originally written in BCPL by Martin Richards (539 lines).
• DeltaBlue: One-way constraint solver, originally written in Smalltalk by John Maloney and Mario Wolczko (880 lines).
• Crypto: Encryption and decryption benchmark based on code by Tom Wu (1,689 lines).
• RayTrace: Ray tracer benchmark based on code by Adam Burmister (3,418 lines).
• EarleyBoyer: Classic Scheme benchmarks, translated to JavaScript by Florian Loitsch's Scheme2Js compiler (4,682 lines).
Google's overall score is head and shoulders above the competition for executing JavaScript.
Google's Chrome browser
Google's Chrome browser is now officially available as a beta, offering the promise of increased speed, security and usability. During a conference call and Webcast with the press today from the Googleplex in Mountain View, Calif., Google trotted out a line-up of engineers to explain what is new for Web users and what Google hopes to gain with Chrome. 
Download Google Chrome orhttp://www.google. com/chrome/
Sundar Pichai, Google's vice president of product management, said the name Chrome itself is indicative of the key value that Google is aiming to provide with the new browser. Chrome is the space where the user interacts with the browser in the traditional Netscape/Mozilla view of browsers. It's an area that Google is aiming to minimize for usability. "Chrome is kind of an ironic name for our product," Pichai said. "Our view is that the browser is just a tool for people to interact with applications that they care about so browsers should not be self-important. We wanted to make sure that people were forgetting why they are using a browser." Google has introduced something called the OmniBox which integrates the traditional browser address bar with a search box.. Features:
One box for everything
New Tab page
Application shortcuts
Dynamic tabs
Crash control
Incognito mode
Safe browsing
Instant bookmarks
Importing settings
Simpler downloads
One box for everything
New Tab page
Application shortcuts
Dynamic tabs
Crash control
Incognito mode
Safe browsing
Instant bookmarks
Importing settings
Simpler downloads
Subscribe to:
Posts (Atom)
