nCircle.com >> 360 Security >> VERT

« SecTorAttendees.com | Main | What does VERT do? »

The Browser with Bling

After years of rumours, the Google browser has appeared, and it's all shiny and Chrome. Yesterday everyone was talking about Google Chrome. Based on Webkit, and sporting a new JavaScript engine, it's looking rather exciting. That being said, this new browser is already hitting some bumps in the road.

Today on milw0rm, a PoC DoS appeared. I know, everyone is saying, 'Oh wow, not another DoS' or, as Amrit mentioned on Twitter, 'Beta software with a bug?'. However, it's not the fact that a DoS exists that I find interesting (I expect there will be a number of them). What I find interesting is that one of the new hyped features of Chrome is that each tab is its own process, so you can avoid browser crashes, and only the tab will crash. This PoC already proves that the initial implementation of tabbed process separation doesn't work. The PoC will crash the entire browser, not just the tab within it.

There's a second proof of concept on milw0rm. This one shows that Chrome uses automatic downloads without user interaction. Wasn't this frowned upon a while back when other browsers did this? Didn't Google learn from their mistakes? Sure, I have the option for Chrome to "Ask me where to save the file", but I don't want that. I would like a "Should I save this file" dialog. I like default download locations, I just want to confirm my downloads first. That's what Firefox does.

I also noticed that ZDNet has mention of a carpet bombing issue (PoC here)

Sure this is a beta, but how many people are going to switch to using it all the time simply because it's a Google product? Remember to be careful people.

On top of that we have the EULA (via The Register), which contains the following:

11.1 You retain copyright and any other rights that you already hold in Content that you submit, post or display on or through the Services. By submitting, posting or displaying the content, you give Google a perpetual, irrevocable, worldwide, royalty-free and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content that you submit, post or display on or through the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

I'm playing with Chrome to see what sort of issues I find, but Google has ensured that I will NEVER use it as my every day browser with that EULA statement. It is scary, there's really no other way to describe it.

Also note that Chrome has it's own blog.

Posted by Tyler Reguly on September 3, 2008 11:22 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/304

Comments (2)

Saint Germain:

Google Chrome is very fast, but with firefox i can have a lot of extensions... so... i keep my Fierfox.

Posted by Saint Germain | September 4, 2008 6:14 AM

Posted on September 4, 2008 06:14

jgraver:

They have since revised that part of the EULA.
http://googleblog.blogspot.com/2008/09/update-to-google-chromes-terms-of.html

Posted by jgraver | September 5, 2008 12:50 PM

Posted on September 5, 2008 12:50

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Search


About

This page contains a single entry from the blog posted on September 3, 2008 11:22 AM.

The previous post in this blog was SecTorAttendees.com.

The next post in this blog is What does VERT do? .

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]