Wednesday, September 3, 2008

Google Chrome vulnerabilities list

| Armando Romeo |

Ok, news is old, Google has released a new browser and all the web is blogging about it. But my duties are to talk about security so I'm not going to review Google Chrome's features but to list the vulnerabilities already found after only 16 hours from the release. (I fear this post will be outdated in few hours)

Rishi Narang has been the first. A Denial Of Service simple as pie:

Just browse this page and place your mouse over this link (make sure you bookmark this page if you want to read on though):

CRASH ME

Just "evil:%" in the anchor text is capable of crashing all the Chrome tabs (despite all the tabs are separated processes).

Someone has also reported that by entering a very long bookmark may kill the browser. Length has not been given but it's worth a try.

If your Chrome is still alive you may want to try entering

about@:

in the location bar.

Good thing is that the browser doesn't need Administrator rights to run.

Matt Cutt from his blog has stated that the chapter 11 of Eula will be updated. Yes the chapter about you giving all the rights to Google:

a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.

I'm worried about the enthusiastic reviews I see online.
Google brand was enough to push an unfinished product up to make it 1% of the User-Agent's used on its very first day.
The risk is high, fuzzers are still crunching...

Free Security Magazines